Re: Trojan svchost.exe in created folder windows/syst32 caught by Norton
From: David (davidwnh@adelphia.net)
Date: 11/28/02
- Next message: David: "Re: How to open port 1080 with zoneAlarm"
- Previous message: David: "Re: How are they broadcasting through my proxy server?"
- In reply to: NeoSadist: "Re: Trojan svchost.exe in created folder windows/syst32 caught by Norton"
- Next in thread: Puzzld: "Re: Trojan svchost.exe in created folder windows/syst32 caught by Norton"
- Reply: Puzzld: "Re: Trojan svchost.exe in created folder windows/syst32 caught by Norton"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David" <davidwnh@adelphia.net> Date: Thu, 28 Nov 2002 16:02:35 GMT
This is a well documented and oft used means of "hiding" trojans and other
malware on someone's system. Social engineering at its finest! One of the
reasons some personal firewalls use MD5 verification in the first place.
Some trojans try to replace the valid .exe and other simply put another file
with the same name elsewhere since this is easier to implement and get
installed.
Be sure to clean this trojan as best you can. Search a site like Symantec's
for "svchost.exe" to see what is known to be done. Even if you can't find an
exact match, the information on such a site will at least guide you to where
to look for other files and registry entries that this trojan has
installed/made. If there is an exact match on their website there may be an
automated tool to delete all files and registry entries that the trojan
made. You must find all the files and delete the associated registry entries
or the trojan may try to reinstall. If you know that you stopped the trojan
from connecting to the irc server from the get go, then the potential for
damage should be minimal and totall OS reinstallation may be unnecessary.
And FYI, if you do an upgrade as opposed to a clean install, someone's
system directory would be windows as opposed to winnt.
> > Has anyone else seen this?
> >
> > Norton firewall caught a trojan trying to send out info over internet.
> > It was called svchost.exe, 18.8 KB (as opposed to 12.5 for the valid
> > WinXP file), resided in a newly created folder called windows/syst32,
> > and had a registry key called "LTM2" to run it at startup. The
> > program itself had a capital letter "A" as its icon.
> >
> > I don't know what it was trying to send, but apparently to the
> > following address: 221.6.2.1,ircu-2(6667). It has been terminated and
> > quarantined on my system.
> >
> > Thanks.
>
>
> Normally, I'd say that it's not a trojan. This is the same name as the
> win2k/xp services host executable. Usually, the normal file (c:\winNT)
> tries to access the internet, and it usually does this when either 1) a
> service that is running needs the internet, or 2) when nothing can reach
the
> internet in the normal way.
> However, if you're using Win 2000, you shouldn't have a c:\windows folder,
> it should be c:\winNT. I don't know if WinXP does this.
> But still, the icon isn't what it should be. That's sorta strange.
Thanks
> for reporting this.
>
>
- Next message: David: "Re: How to open port 1080 with zoneAlarm"
- Previous message: David: "Re: How are they broadcasting through my proxy server?"
- In reply to: NeoSadist: "Re: Trojan svchost.exe in created folder windows/syst32 caught by Norton"
- Next in thread: Puzzld: "Re: Trojan svchost.exe in created folder windows/syst32 caught by Norton"
- Reply: Puzzld: "Re: Trojan svchost.exe in created folder windows/syst32 caught by Norton"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
