Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Survey.exe

From: Jean-Hugues Smits <j.h.smits () pointnet nl>
Date: Tue, 1 Jun 1999 10:03:15 +0200 
Hi All, 

I,ve been reading this list for a while and a must say I learned a lot. This
is my first time post here, I hope I will help someone by reacting to this
post.
I'm running NT 4.0,  SP5 and the same thing happened to me. It indeed
appears to come from a Microsoft site. The "Survey.exe" itself didn't take
up the 100% CPU utilization but it took about 64% and the Iexplore process
took the other 35%. I made a screenskot and killed the process. The
"Survey.exe" appears to come from
ftp://msfe.microsoft.com/swcomponents/sw/Survey.exe
<ftp://msfe.microsoft.com/swcomponents/sw/Survey.exe>  (314KB) and I also
noticed a "Survey.dat" coming from
ftp://msfe.microsoft.com/swcomponents/so/Survey.dat
<ftp://msfe.microsoft.com/swcomponents/so/Survey.dat>  (22,1KB) I also saw
(in Temp) 2 asp's (runonce.asp + SetCities.ASP?<something>) from another MS
website but they may have nothing to do with that. Hope this little bit of
information helps.
Keep up the good postings!! I'll absorbe the knowledge!

Jean-Hugues Smits
j.h.smits () pointnet nl <mailto:j.h.smits () pointnet nl>  
Pointnet Security Systems

                -----Oorspronkelijk bericht-----
                Van:    Ken Fox [mailto:kenfox () starlinx com]
                Verzonden:      zondag 30 mei 1999 19:39
                Aan:    'firewall-wizards () nfr net'
                Onderwerp:      Survey.exe



                        Folks --        

                        Anyone running an NT box seen a program called
Survey.exe in thier task manager window? This puppy was sucking up 100% of
the CPU ...   I hadn't recalled ruinning anything that would generate such a
program ; however, I was online at Microsoft's web site at the time (patches
/ downloads / etc) ... when I killed the process (not a terribly smart idea
in WIndows, I noticed aa red Icon dropped out of the systray, kinda looked
like a wizard or a mutated AOL icon) Assuming this is a hacker poking around
, has anyone seen this before. Specifically, I killed him rather than let
him play -- OTOH I am planning on a dedicated hook-up with a firewall rather
than Dial up ... (turns out I moved in to an area with 7.1Meg ADSL
available.... 

                         I hadn''t gotten to installing / downloading BOF
yet (it is now) -- Specifically though, if anyone has seen this program
before, what ports & so forth is it using and therefore what would we look
for in a IDS or block with a firewall?

                        I searched bugtraq for survey.exe under the
assumption that it was malicious and/or had been seen before.

                Thanks< ken
Previous By Date Next
Previous By Thread Next

Current thread: