[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] svchost.exe try to send http outside

To: howard.lee@xxxxxxxxx
Subject: Re: [Full-disclosure] svchost.exe try to send http outside
From: Josh Zlatin-Amishav <josh@xxxxxxxxxx>
Date: Wed, 17 Aug 2005 13:34:50 +0300 (IDT)

On Wed, 17 Aug 2005 howard.lee@xxxxxxxxx wrote:

Dear all,

I discovered that an "svchost.exe" start when the server start.
This svchost.exe try to sync_sent to random http host when I view from
netstat, active port, and pviewer.

However, does anyone know which worms/torjon/normal process causes the
svchost do such job?


Hi Howard,
This sounds like Hotword.b.trojan. The Hotword.b trojan is known to use
the following files:
"_svchost.exe"
"0xFFsvchost.exe" (note the 0xFF is obviosly unreadable)
"Outlook Express"

in the System32 directory.

FYI this trojan was recently used in a massive corporate spy case in Israel.

For more info See here:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.b.html
http://seclists.org/lists/fulldisclosure/2005/May/0653.html

--
    - Josh

and how to stop this?

Is this a normal prcoess?

My Server is a fully patched windows 2003 server. net.
The svchost.exe is microsoft verifid and located at c:\windows\system32

Regards,
Howard


This e-mail (and any attachment (s)) is confidential and for use only by
intended recipient (s). Access by others is unauthorised. Its content
should not be relied upon and no liability or responsibility is accepted by
us, without our subsequent written confirmation of its content. If you are
not an intended recipient, please notify us promptly and delete all copies
and note that any disclosure, copying, distribution or any action taken or
omitted to be taken in reliance on the information it contains is
prohibited and may be unlawful. Further information on Guoco Group is
available from http://www.guoco.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- [Full-disclosure] Re: svchost.exe try to send http outside
  - From: Dave Korn

References:
- [Full-disclosure] svchost.exe try to send http outside
  - From: howard . lee

Prev by Date: [Full-disclosure] svchost.exe try to send http outside
Next by Date: RE: [Full-disclosure] svchost.exe try to send http outside
Previous by thread: [Full-disclosure] svchost.exe try to send http outside
Next by thread: [Full-disclosure] Re: svchost.exe try to send http outside
Index(es):
- Date
- Thread