update: Survey.exe

[Kenneth_W_Fox () sbphrd com]

I'm the original poster of the message coming in from a different mailing
address - please excuse .

1. It turns out that the survey was something that started running when I
tried to download SP5 for NT4 fromMicrosofts support site. The program
seems to have had a problem with a dodgy connection which caused it to
crash into a permenant loop. The loop caused it to suck up all available
resources, until I found an killed it.

2. I'm fairly certain of the above because the survey program ran when I
tried the SP5 download on Monday night. Looking through the data files
found nothing malicious.

Thanks for the help & suggestions everyone






dleblanc () mindspring com on 31-May-1999 00:21



Please respond to dleblanc () mindspring com

To:   kenfox, firewall-wizards
cc:    (bcc: Kenneth W Fox/CIS/PHRD/SB_PLC)
Subject:  Re: Survey.exe




At 01:38 PM 5/30/99 -0400, Ken Fox wrote:

>    Folks --
>
>    Anyone running an NT box seen a program called Survey.exe in thier
task
manager window? This puppy was sucking up 100% of  the CPU ...   I hadn't
recalled ruinning anything that would generate such a program ;

No - haven't seen that one.  If you have any sort of browser security set
up, it would definately warn you before starting an app.

Since it was running, it was almost certainly on your HD.  Do a search for
it - dir c:\survey.exe /s /b ought to do nicely.  I bet it is on your HD.
If it was not, the things to have done prior to torching it would have been
to do a net session and a net use from the command line.  Shows you anyone
connected to your machine, and any place you are connected to.  Also,
people have limited means to get things to execute locally - I assume you
have no remote shells installed.  Means that it is either running as a
service (or fired by the schedule service) or _you_ started it somehow.
Since you killed it, it was probably running under your user context - ways
do exist to kill things owned by the system (or other people), but Task
Manager typically complains when you try that.

> Specifically though, if anyone has seen this program before, what ports &
so forth is it using and therefore what would we look for in a IDS or block
with a firewall?

Well, first of all, you don't know that it is something bad.  First thing
to do is run a dumpbin (tool from VC++, or the SDK) to see what calls it is
making.  If it doesn't link with winsock, MPR.DLL, or netapi32.dll, then it
probably isn't network enabled.

Figuring out which ports it is using would be accomplished by diffing
netstat -a while running and not.  Russinovich (www.sysinternals.com) has a
nifty tool that shows you the handles a process has open - sockets show up
as Afd\something.  Mapping that to a port isn't convenient - someone I know
was working on a tool to do just that, but I'm not sure what came of it.

>    I searched bugtraq for survey.exe under the assumption that it was
malicious and/or had been seen before.

First I'd want to take a poke at it to verify what it is doing before
coming to that conclusion.  If you want to mail it to me, I'd be glad to
take a look.

BTW, I don't know what gave you the idea that killing processes isn't a
good idea (or at least as long as you don't kill the wrong ones...) - I do
that all the time for basic cleanup.  I get longer uptimes if I kill
explorer.exe and restart it every few weeks.  Better than rebooting.


David LeBlanc
dleblanc () mindspring com