Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
So I’m reading /. and I ran into the following article: https://slashdot.org/article.pl?sid=04/03/17/1942232&mode=nested&tid=126&tid=128&tid=172&tid=185&tid=190&tid=201
In the article is a link to someone known as the “LURQHQ Thread Intelligence Group” who posts this analysis of the “Phatbot” trojan.
I was fascinated by the capabilities of the Trojan, but thought very little of it, until I ran into the following in the alert:
Manual Removal
Look for the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Generic Service Process
The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory.
Here’s the problem. Windows has an internal component called “svchost.exe”, which is known as the “Generic Host Process for Win32 Services”. A naive user looking to see if their system is infected with this Trojan would see the 6 or so copies of svchost.exe running on their system and assume that they were infected.
And the next thing they’d do is to kill those processes, just like the advisory says. Well, what are some of the services they’d be killing?
· AUDIOSRV – the windows audio service. This goes and bye bye audio.
· DHCP – The Dynamic Host Configuration Protocol. Say good by to your TCP/IP networking.
· LanmanServer – The file and print server. If you’ve got a networked printer on your machine, nobody’s printing on it any more.
· LanmanWorkstation – The CIFS client. If that one goes, you’re not accessing remote file&print services.
· ShellHWDetection – This blows away autorun
· Spooler – You’re not printing any more.
And there’s a lot more, those are just the highlights.
One of the more insidious parts of this problem is that even if the user’s machine survives killing all the svchost processes, the next thing the advisory tells the user to do is to delete the file.
But Windows has this really cool feature that’s intended to prevent you from messing up your machine called “Windows File Protection”. In a nutshell, this feature automatically copies critical system files if they’re deleted or overwritten. And, you guessed it – svchost.exe is a critical system file.
So here’s the user following the advice from the security company who removes svchost.exe. And 30 seconds later, the file’s right back where it was!
So what is the ONLY interpretation that they could have? Remember – they believe that this file is a Trojan horse and it’s endangering their system. The only interpretation they could possibly have is that the Trojan has somehow REINFECTED their machine. They try to delete the file again and again and again. And they never get anywhere. So the next thing they do one of two things:
1) They call Product Support and spend lots of money to discover that there’s no real problem, or…
2) They write up an email about this hideous Trojan horse called svchost.exe that’s installed on their machine that they can’t remove and asking their friends for help.
And thus another JDBGMGR.EXE or SULFNBK.EXE hoax is born. Only this time the component IS a critical windows component instead of a relatively minor unused system utility.
Sigh.
Comments
- Anonymous
March 17, 2004
The comment has been removed - Anonymous
March 17, 2004
The comment has been removed - Anonymous
March 19, 2004
I guess the question is then why are all of these processes (dhcp, lanman, etc) renamed to svchost instead of giving us their true names? Why keep the information hidden? - Anonymous
March 19, 2004
They're not. They're colocated in the same process.
Instead of taking up one process per service, the services are glommed together into the same process.
If you have the NT resource kit, you can use the tasklist command to find out what services are running in what process - use "tasklist /svc", it'll tell you what services are running in what process. - Anonymous
March 19, 2004
Also, Process Explorer from www.sysinternals.com can tell you. A handy near-replacement for the standard Task Manager, with a lot more capabilities. One of the top tools in my toolkit. - Anonymous
March 24, 2004
The comment has been removed - Anonymous
April 22, 2004
The comment has been removed