Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999_2

NFR Wizards Archive: RE: Survey.exe

RE: Survey.exe

David C Niemi (niemitux.org)
Wed, 2 Jun 1999 10:50:31 -0400 (EDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Jean-Hugues Smits: "RE: Survey.exe"
Previous message: Carric Dooley: "Re: Firewall-Wizards Digest V1 #311"
In reply to: Matt Curtin: "Re: Firewall-Wizards Digest V1 #311"

This calls itself the "Microsoft Survey Wizard". I took a look at the
file, and it at least superficially looks like just another buggy Windows
program, but it's probably worth checking out with virus scanners and such.

You could perhaps email to mtscfmicrosoft.com (an address embedded in
Survey.dat) for more info.

DCN

On Tue, 1 Jun 1999, Jean-Hugues Smits wrote:
> Hi All,
>
> I,ve been reading this list for a while and a must say I learned a lot. This
> is my first time post here, I hope I will help someone by reacting to this
> post.
> I'm running NT 4.0, SP5 and the same thing happened to me. It indeed
> appears to come from a Microsoft site. The "Survey.exe" itself didn't take
> up the 100% CPU utilization but it took about 64% and the Iexplore process
> took the other 35%. I made a screenskot and killed the process. The
> "Survey.exe" appears to come from
> ftp://msfe.microsoft.com/swcomponents/sw/Survey.exe
> <ftp://msfe.microsoft.com/swcomponents/sw/Survey.exe> (314KB) and I also
> noticed a "Survey.dat" coming from
> ftp://msfe.microsoft.com/swcomponents/so/Survey.dat
> <ftp://msfe.microsoft.com/swcomponents/so/Survey.dat> (22,1KB) I also saw
> (in Temp) 2 asp's (runonce.asp + SetCities.ASP?<something>) from another MS
> website but they may have nothing to do with that. Hope this little bit of
> information helps.
> Keep up the good postings!! I'll absorbe the knowledge!
>
> Jean-Hugues Smits
> j.h.smitspointnet.nl <mailto:j.h.smitspointnet.nl>
> Pointnet Security Systems
>
> -----Oorspronkelijk bericht-----
> Van: Ken Fox [mailto:kenfoxstarlinx.com]
> Verzonden: zondag 30 mei 1999 19:39
> Aan: 'firewall-wizardsnfr.net'
> Onderwerp: Survey.exe
>
>
>
> Folks --
>
> Anyone running an NT box seen a program called
> Survey.exe in thier task manager window? This puppy was sucking up 100% of
> the CPU ... I hadn't recalled ruinning anything that would generate such a
> program ; however, I was online at Microsoft's web site at the time (patches
> / downloads / etc) ... when I killed the process (not a terribly smart idea
> in WIndows, I noticed aa red Icon dropped out of the systray, kinda looked
> like a wizard or a mutated AOL icon) Assuming this is a hacker poking around
> , has anyone seen this before. Specifically, I killed him rather than let
> him play -- OTOH I am planning on a dedicated hook-up with a firewall rather
> than Dial up ... (turns out I moved in to an area with 7.1Meg ADSL
> available....
>
> I hadn''t gotten to installing / downloading BOF
> yet (it is now) -- Specifically though, if anyone has seen this program
> before, what ports & so forth is it using and therefore what would we look
> for in a IDS or block with a firewall?
>
> I searched bugtraq for survey.exe under the
> assumption that it was malicious and/or had been seen before.
>
> Thanks< ken
>

---- David C Niemi ----niemi at tux.org---- Reston VA USA ----
... as FUD is our witness, we will never go hungry again.
Microsoft OEM account manager, 1992.

Next message: Jean-Hugues Smits: "RE: Survey.exe"
Previous message: Carric Dooley: "Re: Firewall-Wizards Digest V1 #311"
In reply to: Matt Curtin: "Re: Firewall-Wizards Digest V1 #311"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT