Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999_2

NFR Wizards Archive: RE: Survey.exe

RE: Survey.exe

Jean-Hugues Smits (j.h.smitspointnet.nl)
Tue, 1 Jun 1999 10:03:15 +0200

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Matt Curtin: "Re: Firewall-Wizards Digest V1 #311"
Previous message: James D. Wilson: "RE: Host based IP ACL like TCPWrapper or IP_Filter, but for NT?"
Next in thread: David C Niemi: "RE: Survey.exe"
Reply: David C Niemi: "RE: Survey.exe"

Hi All,

I,ve been reading this list for a while and a must say I learned a lot. This
is my first time post here, I hope I will help someone by reacting to this
post.
I'm running NT 4.0, SP5 and the same thing happened to me. It indeed
appears to come from a Microsoft site. The "Survey.exe" itself didn't take
up the 100% CPU utilization but it took about 64% and the Iexplore process
took the other 35%. I made a screenskot and killed the process. The
"Survey.exe" appears to come from
ftp://msfe.microsoft.com/swcomponents/sw/Survey.exe
<ftp://msfe.microsoft.com/swcomponents/sw/Survey.exe> (314KB) and I also
noticed a "Survey.dat" coming from
ftp://msfe.microsoft.com/swcomponents/so/Survey.dat
<ftp://msfe.microsoft.com/swcomponents/so/Survey.dat> (22,1KB) I also saw
(in Temp) 2 asp's (runonce.asp + SetCities.ASP?<something>) from another MS
website but they may have nothing to do with that. Hope this little bit of
information helps.
Keep up the good postings!! I'll absorbe the knowledge!

Jean-Hugues Smits
j.h.smitspointnet.nl <mailto:j.h.smitspointnet.nl>
Pointnet Security Systems

                -----Oorspronkelijk bericht-----
                Van: Ken Fox [mailto:kenfoxstarlinx.com]
                Verzonden: zondag 30 mei 1999 19:39
                Aan: 'firewall-wizardsnfr.net'
                Onderwerp: Survey.exe

Folks --

Anyone running an NT box seen a program called
Survey.exe in thier task manager window? This puppy was sucking up 100% of
the CPU ... I hadn't recalled ruinning anything that would generate such a
program ; however, I was online at Microsoft's web site at the time (patches
/ downloads / etc) ... when I killed the process (not a terribly smart idea
in WIndows, I noticed aa red Icon dropped out of the systray, kinda looked
like a wizard or a mutated AOL icon) Assuming this is a hacker poking around
, has anyone seen this before. Specifically, I killed him rather than let
him play -- OTOH I am planning on a dedicated hook-up with a firewall rather
than Dial up ... (turns out I moved in to an area with 7.1Meg ADSL
available....

I hadn''t gotten to installing / downloading BOF
yet (it is now) -- Specifically though, if anyone has seen this program
before, what ports & so forth is it using and therefore what would we look
for in a IDS or block with a firewall?

I searched bugtraq for survey.exe under the
assumption that it was malicious and/or had been seen before.

Thanks< ken

Next message: Matt Curtin: "Re: Firewall-Wizards Digest V1 #311"
Previous message: James D. Wilson: "RE: Host based IP ACL like TCPWrapper or IP_Filter, but for NT?"
Next in thread: David C Niemi: "RE: Survey.exe"
Reply: David C Niemi: "RE: Survey.exe"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT