Re: svchost.exe try to send http outside

["Dave Korn" <davek_throwaway () hotmail com>]

----Original Message----
> From: Josh Zlatin-Amishav
> Message-Id: Pine.LNX.4.61.0508171334370.11166 () maoz education gov il

> On Wed, 17 Aug 2005 howard.lee wrote:

> > I discovered that an "svchost.exe" start when the server start.
> > This svchost.exe try to sync_sent to random http host when I view from
> > netstat, active port, and pviewer.
> >
> > However, does anyone know which worms/torjon/normal process causes the
> > svchost do such job?  and how to stop this?
> > Is this a normal prcoess?
> >
> > My Server is a fully patched windows 2003 server. net.
> > The svchost.exe is microsoft verifid and located at c:\windows\system32

> Hi Howard,
> This sounds like Hotword.b.trojan. The Hotword.b trojan is known to use
> the following files:
> "_svchost.exe"
> "0xFFsvchost.exe" (note the 0xFF is obviosly unreadable)
> "Outlook Express"
>
> in the System32 directory.

  Actually, given that Howard says the .exe is 'microsoft verified' (i
presume he means it has a valid M$ digital signature), the odds are about a
hundred to one that this is the windows automatic update service phoning
home to check for updates.  Svchost.exe hosts many windows services, and
since automatic updates is one of those hosted services, it is entirely
natural and as-expected that svchost.exe would try to connect out once in a
while.

  Howard, next time it tries to connect, note down the IP and do a WHOIS
lookup on it.  If you see something like ...

OrgName:    MS Hotmail
OrgID:      MSHOTM
Address:    One Microsoft Way
City:       Redmond
StateProv:  WA
PostalCode: 98052
Country:    US

... then you don't need to worry about it.  (If you see something else, post
back here.)

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/