Firewall Wizards mailing list archives
RE: Survey.exe
From: Jean-Hugues Smits <j.h.smits () pointnet nl>
Date: Wed, 2 Jun 1999 13:53:25 +0200
Soo, I did a my own little "Survey", and what did I find..... That freaky little thing that appeared in the systray seemed to be some MS guy with a purple hat, called "Survey Wizard." I found 5 files (couldn't find them with Ntexplorer so I used the cmd.exe, dir c:\ *survey*.* /s /b ) ; survey.exe + Survey.dat (in \temp) and survey.INF, survey.ocx, SurveyControl.dll (seems to be made by a company called NETQUEST) (\ \downloaded program files\ ) They are created by Microsoft, and it appears to be a survey to "Measure Customer Satisfaction with web site". Now I know that, I wish I could have taken the "Survey"..... As I understand it's/uses ActiveX. I could find Registrykeys containing pointers to this program. Further does it looks like it is supposed to send mail (# U n a b l e t o l o a d m a i l s y s t e m s u p p o r t . M a i l s y s t e m D L L i s i n v a l i d . ! S e n d M a i l f a i l e d t o s e n d m e s s a g e) 1 As I recall I never agreed upon taken a survey. 2 If I did agree it shouldn't take up 100% CPU power. Looks like a trojaned DoS by Microsoft:-( I do not understand everything I found out (newbie), but if someone is interrested... just ask me for it and you more knowledgable (is that english???) people might understand. Jean-Hugues Smits Pointnet Security Systems j.h.smits () pointnet nl <mailto:j.h.smits () pointnet nl> -----Oorspronkelijk bericht----- Van: David LeBlanc [mailto:dleblanc () mindspring com] Verzonden: maandag 31 mei 1999 6:22 Aan: Ken Fox; 'firewall-wizards () nfr net' Onderwerp: Re: Survey.exe At 01:38 PM 5/30/99 -0400, Ken Fox wrote: > Folks -- > > Anyone running an NT box seen a program called Survey.exe in thier task manager window? This puppy was sucking up 100% of the CPU ... I hadn't recalled ruinning anything that would generate such a program ; No - haven't seen that one. If you have any sort of browser security set up, it would definately warn you before starting an app. Since it was running, it was almost certainly on your HD. Do a search for it - dir c:\survey.exe /s /b ought to do nicely. I bet it is on your HD. If it was not, the things to have done prior to torching it would have been to do a net session and a net use from the command line. Shows you anyone connected to your machine, and any place you are connected to. Also, people have limited means to get things to execute locally - I assume you have no remote shells installed. Means that it is either running as a service (or fired by the schedule service) or _you_ started it somehow. Since you killed it, it was probably running under your user context - ways do exist to kill things owned by the system (or other people), but Task Manager typically complains when you try that. >Specifically though, if anyone has seen this program before, what ports & so forth is it using and therefore what would we look for in a IDS or block with a firewall? Well, first of all, you don't know that it is something bad. First thing to do is run a dumpbin (tool from VC++, or the SDK) to see what calls it is making. If it doesn't link with winsock, MPR.DLL, or netapi32.dll, then it probably isn't network enabled. Figuring out which ports it is using would be accomplished by diffing netstat -a while running and not. Russinovich (www.sysinternals.com) has a nifty tool that shows you the handles a process has open - sockets show up as Afd\something. Mapping that to a port isn't convenient - someone I know was working on a tool to do just that, but I'm not sure what came of it. > I searched bugtraq for survey.exe under the assumption that it was malicious and/or had been seen before. First I'd want to take a poke at it to verify what it is doing before coming to that conclusion. If you want to mail it to me, I'd be glad to take a look. BTW, I don't know what gave you the idea that killing processes isn't a good idea (or at least as long as you don't kill the wrong ones...) - I do that all the time for basic cleanup. I get longer uptimes if I kill explorer.exe and restart it every few weeks. Better than rebooting. David LeBlanc dleblanc () mindspring com
Current thread:
- RE: Survey.exe Jean-Hugues Smits (Jun 01)
- RE: Survey.exe David C Niemi (Jun 03)
- <Possible follow-ups>
- Re: Survey.exe David LeBlanc (Jun 01)
- RE: Survey.exe Merunka, Steffen (Jun 01)
- RE: Survey.exe Russ (Jun 03)
- RE: Survey.exe Jean-Hugues Smits (Jun 03)