Wednesday, June 9, 2010

What is svchost.exe? Is svchost.exe spyware or a virus?

Process name: Host Process for Services
Product: Windows
Company: Microsoft
File: svchost.exe


"Svchost.exe" (Generic Host Process for Win32 Services) is an integral part of Windows OS. It cannot be stopped or restarted manually. This process manages system services that run from dynamic link libraries (files with extension .dll). Examples for such system services are: "Automatic Updates", "Windows Firewall", "Plug and Play", "Fax Service", "Windows Themes" and many more.
At startup, Svchost.exe checks the services portion of the registry and constructs a list of services that it needs to load. Under normal conditions, multiple instances of Svchost.exe will be running simultaneously. Each Svchost.exe session can contain a grouping of services, so that many services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.
If the process svchost.exe uses high cpu resources, it is mostly due because the service "Automatic Updates" is downloading some new Windows update. But having a 99% or 100% cpu usage could be caused by downloads due of some hidden malware on your computer. Some malware like the Conficker worm changes the Windows Registry so that svchost loads the malware .dll file. In this case you only see the authentic svchost.exe process in the task manager!
See also: Microsoft reference

Note: The svchost.exe file is located in the folder C:\Windows\System32. In other cases, svchost.exe is a virus, spyware, trojan or worm! Check this with Security Task Manager.

Virus with same name:
Symantec Security Response - W32.Welchia.Worm
Symantec Security Response - W32.Assarm@mm
McAfee - W32/Jeefo
Microsoft Conficker worm

Posted by at No comments:

Common Known Win32 Worms

Win32:Badtrans [Wrm]
Win32:Beagle [Wrm] (aka Bagle), variants A-Z, AA-AH
Win32:Blaster [Wrm] (aka Lovsan), variants A-I
Win32:BugBear [Wrm], including B-I variants
Win32:Ganda [Wrm]
Win32:Klez [Wrm], all variants (including variants of Win32:Elkern)
Win32:MiMail [Wrm], variants A, C, E, I-N, Q, S-V
Win32:Mydoom [Wrm] (variants A, B, D, F-N - including the trojan horse)
Win32:Nachi [Wrm] (aka Welchia, variants A-L)
Win32:NetSky [Wrm] (aka Moodown, variants A-Z, AA-AD)
Win32:Nimda [Wrm]
Win32:Opas [Wrm] (aka Opasoft, Opaserv)
Win32:Parite (aka Pinfi), variants A-C
Win32:Sasser [Wrm] (variants A-G)
Win32:Scold [Wrm]
Win32:Sinowal [Trj] - variants AA, AB
Win32:Sircam [Wrm]
Win32:Sober [Wrm], variants A-I, J-K
Win32:Sobig [Wrm], including variants B-F
Win32:Swen [Wrm], including UPX-packed variants
Win32:Tenga
Win32:Yaha [Wrm] (aka Lentin), all variants
Win32:Zafi [Wrm] (variants A-D)

* Backdoors
* General Trojans
* PSW Trojans
* Trojan Clickers
* Trojan Downloaders
* Trojan Droppers
* Trojan Proxies
* Trojan Spies
* Trojan Notifiers
* ArcBombs
* Rootkits
Posted by at No comments:

Virus Naming Conventions


When searching for a virus name, you should be aware of the naming conventions used by Symantec/Norton AntiVirus. Virus names consist of a Prefix, a Name, and often a Suffix.
  • The Prefix denotes the platform on which the virus replicates or the type of virus. A DOS virus usually does not contain a Prefix.
  • The Name is the family name of the virus.
  • The Suffix may not always exist. Suffixes distinguish among variants of the same family and are usually numbers denoting the size of the virus or letters.
PREFIXES
A2KM Access macro viruses that are native to Access 2000.
A97M Access macro viruses that are native to Access 97.
AM Access macro viruses that are native to Access 95
AOL Trojan horses that are specific to America Online environments and usually steal AOL password information
BAT Batch file threats.
Backdoor Threats may allow unauthorized users to access your computer across the Internet.
Bloodhound Bloodhound is the name of the Norton AntiVirus heuristic scanning technology for detecting new and unknown viruses
DDos Distributed Denial of Service threats. Distributed Denial of Service involves using zombie computers in an attempt to flood an Internet site with traffic.
DoS Denial of Service threats. Not to be confused with DOS viruses, which are named without prefixes.
HLLC High Level Language Companion viruses. These are usually DOS viruses that create an additional file (the companion) to spread.
HLLO High Level Language Overwriting viruses. These are usually DOS viruses that overwrite host files with viral code.
HLLP High Level Language Parasitic viruses. These are usually DOS viruses that attach themselves to host files.
HLLW A worm that is compiled using a High Level Language. (NOTE: This modifier is not always a prefix, it is only a prefix in the case of a DOS High Level Language Worm. If the Worm is a Win32 file, the proper name would be W32.HLLW.)
HTML Threats that target HTML files.
IRC Threats that target IRC applications.
JS Threats that are written using the JavaScript programming language.
Java Viruses that are written using the Java programming language.
Linux Threats that target the Linux operating system.
O2KM Office 2000 macro viruses. May infect across different types of Office 2000 documents.
O97M Office 97 macro viruses. May infect across different types of Office 97 documents.
OM Office macro viruses. May infect across different types of Office documents.
PWSTEAL Trojan horses that steal passwords.
Palm Threats that are designed to run specifically on the Palm OS.
Trojan/Troj These files are not viruses, but Trojan horses. Trojan horses are files that masquerade as helpful programs, but are actually malicious code. Trojan horses do not replicate.
UNIX Threats that run under any UNIX-based operating system.
VBS Viruses that are written using the Visual Basic Script programming language.
W2KM Word 2000 macro viruses. These are native to Word 2000 and replicate under Word 2000 only.
W32 32-bit Windows viruses that can infect under all 32-bit Windows platforms.
W95 Windows 95 viruses that infect files under the Windows 95 operating system. Windows 95 viruses often work in Windows 98 also.
W97M Word 97 macro viruses. These are native to Word 97 and replicate under Word 97 only.
W98 Windows 98 threats that infect files under the Windows 98 operating system. Will only work in Windows 98.
WM Word macro viruses that replicate under Word 6.0 and Word 95 (Word 7.0). They may also replicate under Word 97 (Word 8.0), but are not native to Word 97.
WNT 32-bit Windows viruses that can infect under the Windows NT operating system.
Win Windows 3.x viruses that infect files under the Windows 3.x operating system.
X2KM Excel macro viruses that are native to Excel 2000.
X97M Excel macro viruses that are native to Excel 97. These viruses may replicate under Excel 5.0 and Excel 95 as well.
XF Excel formula viruses are viruses using old Excel 4.0 embedded sheets within newer Excel documents.
XM Excel macro viruses that are native to Excel 5.0 and Excel 95. These viruses may replicate in Excel 97 as well.

SUFFIXES
@m Signifies the virus or worm is a mailer. An example is Happy99 (W32.Ska), which only sends itself by email when you (the user) send mail.
@mm Signifies the virus or worm is a mass-mailer. An example is Melissa, which sends messages to every email address in your mailbox.
dam Indicates a detection for files that have been corrupted by a threat, or that may contain inactive remnants of a threat, causing the files to no longer be able to execute properly or produce reliable results.
dr Indicates that the detected file is a dropper for another threat.
Family Indicates a generic detection for threats that belong to a particular threat family based on viral characteristics.
Gen Indicates a generic detection for threats that belong to a particular threat type based on viral characteristics.
Int Indicates an intended threat. Threats that are intended to spread, but don't due to bugs or errors in the viral code.
Worm Indicates a worm, not a virus. Worms make copies of themselves that they send across a network or using email, or another transport mechanism
Posted by at No comments:

Win32 Virus - How to Remove Win32 Virus Trojan Proxy

How to Remove Win32 Virus - Trojan Proxy

The Trojan-Proxy.Win32 virus is a worm affecting computers running Microsoft Windows.

These Trojans function as a proxy server and provide anonymous access to the Internet from victim machines.

Today these Trojans are very popular with spammers who always need additional machines for mass mailings.

Virus coders will often include Trojan-proxies in Trojan packs and sell networks of infected machines to spammers.

You may not even know your computer has been infected. Hundreds of computers get infected daily. Simply visiting certain malicious sites can cause your computer to be infected. To find out you can try using a antivirus scanner and virus removal software.

Trojans are breaching your computer security and should be removed. The Trojan-Proxy.Win32 Trojan can be removed from your system if it has been infected!



What Exactly is the Win32 Trojan Proxy Virus

This Trojan program makes it possible for a remote malicious user to use the machine as a proxy-server.

A proxy server is a server (a computer system or an application program) which services the requests of its clients by forwarding requests to other servers. So in simple terms, the Trojan-Proxy virus uses your computer as a host to sell to spammers. Ever wondered where all your internet bandwidth has gone?

The Trojan itself is a Windows PE EXE file written in Visual C++, packed using UPX. The file can be between 39KB - 53KB in size.

An example of a Trojan horse virus would be that a program you may have downloaded which you think is something simple like a screensaver program named "exotic-cars.scr" which seems to be a car desktop screensaver. When you install it, it instead unloads hidden programs, commands, scripts, or any number of commands with or without you knowing it is doing it in the background.

Trojan Horse programs can often be used to bypass security protection you have on your system which causes you system to be left without any protect and gives the hacker full access to your machine.


What Does the Trojan-Proxy.Win32 Virus Do?

The Trojan creates a unique identifier, "Windows-Update-Service" to flag its presence in the system.

Once launched, the Trojan listens on a random TCP port to realize the proxy-server function. The number of the port chosen is randomly generated, and will be in the range 1025 - 5024. If it is not possible to listen on this port, a new attempt will be made, with the port number being regenerated.

The worm then establishes a connection to cb.im***itethinking.biz. If this is unsucessful, the attempt will be repeated at 15 minute intervals.

If the connection is successful, the number of the port which the Trojan is listening on will be encoded and transmitted to port 3878 on the server in encrypted form.

Once the remote malicious user receives this data, s/he will be able to use the victim machine as a proxy-server.

Manually Remove the Trojan-Proxy.Win32 Virus and Removing it from the Registry

Removing a virus using the manual method.

Removing a virus can be done manually, however you will need to understand how to edit the system registry and be able to troubleshoot various problems with your computer system. Viruses are persistent and removing one can take a considerable amount of time and knowledge of how an operating system works. You will also need to know how to edit registry to delete virus and stop it from reinstalling each time you connect to the internet.

Removal Instructions

1. Determine the name of the Trojan program by using regedit or another utility to edit the system registry. View the "Services" parameter in the [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] key; this parameter gives the full path to the malicious program.

2. Use Task Manager to terminate the process with the Trojan name.

3. Delete the original Trojan file.

4. Delete the following value from the system registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"Services"=""



Still Having Problems Manually Removing the Win32 Virus

If you couldn't remove it for some reason try using anti-virus software

Win32 worms generally are set to run automatically when you start your computer or even register themselves to be run when any other application is started. Unfortunately, you can't just delete the worm file or your computer system might not be able to start your applications (such as Explorer) any more.

In order to effectively remove the worm from your computer system, it is often necessary to make additional changes to your system registry. Editing the system registry isn't easy. It can be done but can be difficult for those who aren't computer technicians.


Win32 Virus Resources and Further Information

Symantec Virus Name Definitions
There are many different types of viruses. This is a great resource to tell you what different prefixes in virus names mean and how they differ.
Posted by at No comments:
Subscribe to: Posts (Atom)