|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Survey.exe
David LeBlanc (dleblanc
mindspring.com)
Sun, 30 May 1999 21:21:50 -0700
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Merunka, Steffen: "RE: Survey.exe"
- Previous message: Matt Curtin: "Re: Firewall-Wizards Digest V1 #311"
- In reply to: Sandy Green: "Re: Firewall-Wizards Digest V1 #311"
At 01:38 PM 5/30/99 -0400, Ken Fox wrote:
> Folks --
>
> Anyone running an NT box seen a program called Survey.exe in thier task
manager window? This puppy was sucking up 100% of the CPU ... I hadn't
recalled ruinning anything that would generate such a program ;
No - haven't seen that one. If you have any sort of browser security set
up, it would definately warn you before starting an app.
Since it was running, it was almost certainly on your HD. Do a search for
it - dir c:\survey.exe /s /b ought to do nicely. I bet it is on your HD.
If it was not, the things to have done prior to torching it would have been
to do a net session and a net use from the command line. Shows you anyone
connected to your machine, and any place you are connected to. Also,
people have limited means to get things to execute locally - I assume you
have no remote shells installed. Means that it is either running as a
service (or fired by the schedule service) or _you_ started it somehow.
Since you killed it, it was probably running under your user context - ways
do exist to kill things owned by the system (or other people), but Task
Manager typically complains when you try that.
>Specifically though, if anyone has seen this program before, what ports &
so forth is it using and therefore what would we look for in a IDS or block
with a firewall?
Well, first of all, you don't know that it is something bad. First thing
to do is run a dumpbin (tool from VC++, or the SDK) to see what calls it is
making. If it doesn't link with winsock, MPR.DLL, or netapi32.dll, then it
probably isn't network enabled.
Figuring out which ports it is using would be accomplished by diffing
netstat -a while running and not. Russinovich (www.sysinternals.com) has a
nifty tool that shows you the handles a process has open - sockets show up
as Afd\something. Mapping that to a port isn't convenient - someone I know
was working on a tool to do just that, but I'm not sure what came of it.
> I searched bugtraq for survey.exe under the assumption that it was
malicious and/or had been seen before.
First I'd want to take a poke at it to verify what it is doing before
coming to that conclusion. If you want to mail it to me, I'd be glad to
take a look.
BTW, I don't know what gave you the idea that killing processes isn't a
good idea (or at least as long as you don't kill the wrong ones...) - I do
that all the time for basic cleanup. I get longer uptimes if I kill
explorer.exe and restart it every few weeks. Better than rebooting.
David LeBlanc
dleblancmindspring.com
- Next message: Merunka, Steffen: "RE: Survey.exe"
- Previous message: Matt Curtin: "Re: Firewall-Wizards Digest V1 #311"
- In reply to: Sandy Green: "Re: Firewall-Wizards Digest V1 #311"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT