RE: Win2K and Lview.exe -- am I infected?

From: Vachon, Scott (Scott.Vachon@Paymentech.com)
Date: 12/11/01


From: "Vachon, Scott" <Scott.Vachon@Paymentech.com>
To: security-basics@securityfocus.com
Date: Tue, 11 Dec 2001 10:47:01 -0600


>I discovered that I can go to Task Manager -- Processes, and kill the
>process " wowexec.exe" (with the leading space) and everything will be
>restored to normal behavior.

>Any idea if I have been infected with something and what I can do about
>it?

I don't think you are infected. The wowexec.exe is used (and my explanation
may be somewhat off) to run legacy (or 16 bit) programs on the newer
Microsoft OS's. As it was explained to me, it is a virtual dos window to run
the program in. Unfortunately, this doesn't always function well and you get
a lock up or slow down (I believe it accesses the kernel directly and thus
the effect on the entire system). If you watch the processes tab of the task
manager window when you open the program, you will see the CPU spike to
95-100 percent utilization ! You should find a version of the program you
are running that is compatible with the OS and/or 32 bit vs. 16 bit.

Disclaimer: My own two cents, probably a little off but, in the ballpark.

~S~