lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.61.0508171334370.11166@maoz.education.gov.il>
Date: Wed Aug 17 11:37:05 2005
From: josh at tkos.co.il (Josh Zlatin-Amishav)
Subject: svchost.exe try to send http outside

On Wed, 17 Aug 2005 howard.lee@...co.com wrote:

> Dear all,
>
> I discovered that an "svchost.exe" start when the server start.
> This svchost.exe try to sync_sent to random http host when I view from
> netstat, active port, and pviewer.
>
> However, does anyone know which worms/torjon/normal process causes the
> svchost do such job?

Hi Howard,
This sounds like Hotword.b.trojan. The Hotword.b trojan is known to use
the following files:
"_svchost.exe"
"0xFFsvchost.exe" (note the 0xFF is obviosly unreadable)
"Outlook Express"

in the System32 directory.

FYI this trojan was recently used in a massive corporate spy case in Israel.

For more info See here:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.b.html
http://seclists.org/lists/fulldisclosure/2005/May/0653.html

--
     - Josh

and how to stop this?
> Is this a normal prcoess?
>
> My Server is a fully patched windows 2003 server. net.
> The svchost.exe is microsoft verifid and located at c:\windows\system32
>
> Regards,
> Howard
>
>
> This e-mail (and any attachment (s)) is confidential and for use only by
> intended recipient (s). Access by others is unauthorised. Its content
> should not be relied upon and no liability or responsibility is accepted by
> us, without our subsequent written confirmation of its content. If you are
> not an intended recipient, please notify us promptly and delete all copies
> and note that any disclosure, copying, distribution or any action taken or
> omitted to be taken in reliance on the information it contains is
> prohibited and may be unlawful. Further information on Guoco Group is
> available from http://www.guoco.com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ