RE: Survey.exe

[David C Niemi <niemi () tux org>]

This calls itself the "Microsoft Survey Wizard".  I took a look at the
file, and it at least superficially looks like just another buggy Windows
program, but it's probably worth checking out with virus scanners and such.

You could perhaps email to mtscf () microsoft com (an address embedded in
Survey.dat) for more info.

DCN

On Tue, 1 Jun 1999, Jean-Hugues Smits wrote:
> Hi All, 
>
> I,ve been reading this list for a while and a must say I learned a lot. This
> is my first time post here, I hope I will help someone by reacting to this
> post.
> I'm running NT 4.0,  SP5 and the same thing happened to me. It indeed
> appears to come from a Microsoft site. The "Survey.exe" itself didn't take
> up the 100% CPU utilization but it took about 64% and the Iexplore process
> took the other 35%. I made a screenskot and killed the process. The
> "Survey.exe" appears to come from
> ftp://msfe.microsoft.com/swcomponents/sw/Survey.exe
> <ftp://msfe.microsoft.com/swcomponents/sw/Survey.exe>  (314KB) and I also
> noticed a "Survey.dat" coming from
> ftp://msfe.microsoft.com/swcomponents/so/Survey.dat
> <ftp://msfe.microsoft.com/swcomponents/so/Survey.dat>  (22,1KB) I also saw
> (in Temp) 2 asp's (runonce.asp + SetCities.ASP?<something>) from another MS
> website but they may have nothing to do with that. Hope this little bit of
> information helps.
> Keep up the good postings!! I'll absorbe the knowledge!
>
> Jean-Hugues Smits
> j.h.smits () pointnet nl <mailto:j.h.smits () pointnet nl>  
> Pointnet Security Systems
>
>               -----Oorspronkelijk bericht-----
>               Van:    Ken Fox [mailto:kenfox () starlinx com]
>               Verzonden:      zondag 30 mei 1999 19:39
>               Aan:    'firewall-wizards () nfr net'
>               Onderwerp:      Survey.exe
>
>
>
>                       Folks --        
>
>                       Anyone running an NT box seen a program called
> Survey.exe in thier task manager window? This puppy was sucking up 100% of
> the CPU ...   I hadn't recalled ruinning anything that would generate such a
> program ; however, I was online at Microsoft's web site at the time (patches
> / downloads / etc) ... when I killed the process (not a terribly smart idea
> in WIndows, I noticed aa red Icon dropped out of the systray, kinda looked
> like a wizard or a mutated AOL icon) Assuming this is a hacker poking around
> , has anyone seen this before. Specifically, I killed him rather than let
> him play -- OTOH I am planning on a dedicated hook-up with a firewall rather
> than Dial up ... (turns out I moved in to an area with 7.1Meg ADSL
> available.... 
>
>                        I hadn''t gotten to installing / downloading BOF
> yet (it is now) -- Specifically though, if anyone has seen this program
> before, what ports & so forth is it using and therefore what would we look
> for in a IDS or block with a firewall?
>
>                       I searched bugtraq for survey.exe under the
> assumption that it was malicious and/or had been seen before.
>
>               Thanks< ken

----   David C Niemi   ----niemi at tux.org----   Reston VA USA   ----
      ... as FUD is our witness, we will never go hungry again.
             Microsoft OEM account manager, 1992.