Jump to content
grift3r74

SVOHOST.exe, what is it?

Recommended Posts

OMG.. its a virus

When Backdoor.Nibu.G is executed, it does the following:

* Copies itself as:

%System%Swchost.exe

%System%Svohost.exe

%Startup%Svchost.exe

--------------------------------------------------------------------------------

Notes:

%System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).

%Startup% is a variable. The Trojan locates the Windows startup folder and copies itself to that location. For example, this is C:WindowsStart MenuProgramsStartup (Windows 95/98/Me) or C:Documents and Settings<current user>Start MenuProgramsStartup (Windows NT/2000/XP).

--------------------------------------------------------------------------------

* Creates the following files:

%Windir%Rundlln.sys

%Windir%Prntsvr.dll

%Windir%Tempfeff35a0.htm

%Windir%Tempfe43e701.htm

%Windir%Tempfa4537ef.tmp

--------------------------------------------------------------------------------

Note: %Windir% is a variable. The Trojan locates the Windows installation folder (by default, this is C:Windows or C:Winnt) and creates files in that location.

--------------------------------------------------------------------------------

* Adds the value:

"load32"="%System%swchost.exe"

to the registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

so that the Trojan runs when you start Windows.

* Creates and loads a .dll file to capture keystrokes. Known variants have used %Windir%Prntsvr.dll as the file name.

* May create the registry keys:

HKEY_LOCAL_MACHINESOFTWARESARS

HKEY_USERS.DEFAULTSOFTWARESARS

* Modifies the value data of:

Shell

in the registry key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon

from:

"explorer.exe"

to:

"explorer.exe %System%svohost.exe"

so that the worm runs when you start Windows NT/2000/XP.

* Modifies the %Windir%System.ini file by changing the value:

"Shell"="Explorer.exe"

to:

"Shell"="explorer.exe %System%svohost.exe"

so that the worm runs when you start Windows 95/98/Me.

* Looks for windows that have the following string in the title bar:

http:/ /www.whatpornsite.com/css/logger.php

This Trojan captures the keystrokes that are typed into these window and stores them in a log file.

--------------------------------------------------------------------------------

Note: Typically, such windows would be Web browser windows displaying logon screens for financial services or email accounts.

--------------------------------------------------------------------------------

* Captures the window title and keystrokes that are typed into open windows. The Trojan stores them in the log file, %Windir%Prntk.log. Other stolen information that may also be stored in this file include the IP address of the infected computer and system information, such as the operating system and Internet Explorer version. It may also try to steal FAR Manager and FTP Commander passwords, and protected storage data.

* Launches a thread that monitors the clipboard, saving any data that is found to a log file. This file is named %Windir%Prntc.log.

* Periodically checks the size of the files it uses for logging stolen information. When the files reach a certain size, the stolen information will be copied into an email-formatted file using the Trojan's built-in SMTP engine. The Trojan retrieves the details of the registered owner from the registry and uses these details in the file.

* The email-formatted file has the following characteristics:

From: <registered owner> <[email protected]>

To: you

* Writes an HTML file containing the stolen data to %Windir%TEMPfeff35a0.htm.

* Writes a raw MIME message containing the stolen data to %Windir%TEMPfa4537ef.tmp.

* Listens on TCP ports 1001 and 10000 for remote instructions.

* Disables access to certain antivirus Web sites by adding the following lines to %System%Driversetchosts:

127.0.0.1 avp.com

127.0.0.1 ca.com

127.0.0.1 customer.symantec.com

127.0.0.1 dispatch.mcafee.com

127.0.0.1 download.mcafee.com

127.0.0.1 f-secure.com

127.0.0.1 kaspersky.com

127.0.0.1 liveupdate.symantec.com

127.0.0.1 liveupdate.symantecliveupdate.com

127.0.0.1 mast.mcafee.com

127.0.0.1 mcafee.com

127.0.0.1 my-etrust.com

127.0.0.1 nai.com

127.0.0.1 networkassociates.com

127.0.0.1 rads.mcafee.com

127.0.0.1 secure.nai.com

127.0.0.1 securityresponse.symantec.com

127.0.0.1 sophos.com

127.0.0.1 symantec.com

127.0.0.1 trendmicro.com

127.0.0.1 update.symantec.com

127.0.0.1 updates.symantec.com

127.0.0.1 us.mcafee.com

127.0.0.1 viruslist.com

127.0.0.1 www.avp.com

127.0.0.1 www.ca.com

127.0.0.1 www.f-secure.com

127.0.0.1 www.kaspersky.com

127.0.0.1 www.mcafee.com

127.0.0.1 www.my-etrust.com

127.0.0.1 www.nai.com

127.0.0.1 www.networkassociates.com

127.0.0.1 www.sophos.com

127.0.0.1 www.symantec.com

127.0.0.1 www.trendmicro.com

127.0.0.1 www.viruslist.com

Is it really worth your time and money (you could lose all your money in the bank if your password is compromised) to be worrying about these things?

It is always better to have a software that can protect your computer and you. Spywares are more dangerous than viruses, coz of the simple reason that they steal your information. Your banking account password is much more worthy to them than your computer. And thats what most of them are after.

How to I remove this? I found a registry key.. Is it enough to remove it...

Share this post


Link to post
Share on other sites

This ones hard coz it keeps coming back after AV scans... It also disabled parts of my registry like the startup..

You can access it though by deleting svohost using HijackThis.

Gotta delete registry files to silence this one tough POS..

Here's the link...

http://service.symantec.com.sg/en/ca/security_response/writeup.jsp?docid=2004-060219-5936-99&tabid=3

Finally removed it completely..

YEAAAHHH!!! :grin::uzi:

Share this post


Link to post
Share on other sites

Have you run " sfc /scannow "  ?  This will take some time, what it does if your not familiar, is search all windows components and place them back where they are supposed to be.  Just open a shell and type  " sfc /scannow " Of course close all running programs first.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...