- Feb 22, 2007
- 16,240
- 7
- 76
I keep a pc for researching virus that has little protection. I wired up the led lights that blink on network activity so they are easily seen. The xp machine has no antivirus and no protection software . I use the LED to tell when there is network activity on that pc. Everything that would normally access the internet itself is disabled so when I saw the led flickering yesterday I knew something was happening.
The first thing I do when I see that is to use process hacker to look at network traffic .Here is what I saw:
svchost.exe (204), xpunsecured (192.168.0.3), 1025, static-85-94-77-39.rev-addr.voljatel.hr (85.94.77.39), 1604, TCP, Established
clicking on it I find out the process id is 204.
I go to a command prompt and use, tasklist /svc
results:
svchost.exe 1064 DcomLaunch, TermService
svchost.exe 1292 Dnscache
svchost.exe 1384 LmHosts, SSDPSRV
svchost.exe 2008 WebClient
svchost.exe 204 Winhost
svchost.exe 468 HTTPFilter
The trojan is using a fake svchost.exe (named winhost) in \windows\ and not the normal \\windows\system32\ , nothing new , that has been done with mail trojans.
Using wireshark I found out the trojan is accessing irc. :
Winhost in the past was a mail proxy but this looks like someone modified it for IRC. I run it through the normal battery of antivirus programs and nothing. Hijack this , nothing, anti-malware programs , again nothing. I try to find how it is being loaded and this is the part I can't figure out.
I have looked everyone from the registry to checking crc on dll files and I cannot find how this one is loading. I can remove it from the system, but I'm interested in finding out how it is being loaded without showing up anywhere. So besides the normal registry, start menu, or service options, does anyone know where else to look ?
The first thing I do when I see that is to use process hacker to look at network traffic .Here is what I saw:
svchost.exe (204), xpunsecured (192.168.0.3), 1025, static-85-94-77-39.rev-addr.voljatel.hr (85.94.77.39), 1604, TCP, Established
clicking on it I find out the process id is 204.
I go to a command prompt and use, tasklist /svc
results:
svchost.exe 1064 DcomLaunch, TermService
svchost.exe 1292 Dnscache
svchost.exe 1384 LmHosts, SSDPSRV
svchost.exe 2008 WebClient
svchost.exe 204 Winhost
svchost.exe 468 HTTPFilter
The trojan is using a fake svchost.exe (named winhost) in \windows\ and not the normal \\windows\system32\ , nothing new , that has been done with mail trojans.
Using wireshark I found out the trojan is accessing irc. :
Winhost in the past was a mail proxy but this looks like someone modified it for IRC. I run it through the normal battery of antivirus programs and nothing. Hijack this , nothing, anti-malware programs , again nothing. I try to find how it is being loaded and this is the part I can't figure out.
I have looked everyone from the registry to checking crc on dll files and I cannot find how this one is loading. I can remove it from the system, but I'm interested in finding out how it is being loaded without showing up anywhere. So besides the normal registry, start menu, or service options, does anyone know where else to look ?
Facebook
Twitter