OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: RE: Survey.exe

RE: Survey.exe

Jean-Hugues Smits (j.h.smitspointnet.nl)
Wed, 2 Jun 1999 13:53:25 +0200

Soo,
I did a my own little "Survey", and what did I find.....

That freaky little thing that appeared in the systray seemed to be some MS
guy with a purple hat, called "Survey Wizard." I found 5 files (couldn't
find them with Ntexplorer so I used the cmd.exe, dir c:\ *survey*.* /s /b )
; survey.exe + Survey.dat (in \temp) and survey.INF, survey.ocx,
SurveyControl.dll (seems to be made by a company called NETQUEST) (\
\downloaded program files\ )
 They are created by Microsoft, and it appears to be a survey to "Measure
Customer Satisfaction with web site". Now I know that, I wish I could have
taken the "Survey".....
As I understand it's/uses ActiveX. I could find Registrykeys containing
pointers to this program. Further does it looks like it is supposed to send
mail (# U n a b l e t o l o a d m a i l s y s t e m s u p p o r t
.  M a i l s y s t e m D L L i s i n v a l i d . ! S e n d M a i
l f a i l e d t o s e n d m e s s a g e)

1 As I recall I never agreed upon taken a survey.
2 If I did agree it shouldn't take up 100% CPU power. Looks like a
trojaned DoS by Microsoft:-(

I do not understand everything I found out (newbie), but if someone is
interrested... just ask me for it and you more knowledgable (is that
english???) people might understand.

Jean-Hugues Smits
Pointnet Security Systems
j.h.smitspointnet.nl <mailto:j.h.smitspointnet.nl>

                -----Oorspronkelijk bericht-----
                Van: David LeBlanc [mailto:dleblancmindspring.com]
                Verzonden: maandag 31 mei 1999 6:22
                Aan: Ken Fox; 'firewall-wizardsnfr.net'
                Onderwerp: Re: Survey.exe

                At 01:38 PM 5/30/99 -0400, Ken Fox wrote:

> Folks --
>
> Anyone running an NT box seen a program called
Survey.exe in thier task
                manager window? This puppy was sucking up 100% of the CPU
... I hadn't
                recalled ruinning anything that would generate such a
program ;

                No - haven't seen that one. If you have any sort of browser
security set
                up, it would definately warn you before starting an app.

                Since it was running, it was almost certainly on your HD.
Do a search for
                it - dir c:\survey.exe /s /b ought to do nicely. I bet it
is on your HD.
                If it was not, the things to have done prior to torching it
would have been
                to do a net session and a net use from the command line.
Shows you anyone
                connected to your machine, and any place you are connected
to. Also,
                people have limited means to get things to execute locally -
I assume you
                have no remote shells installed. Means that it is either
running as a
                service (or fired by the schedule service) or _you_ started
it somehow.
                Since you killed it, it was probably running under your user
context - ways
                do exist to kill things owned by the system (or other
people), but Task
                Manager typically complains when you try that.

>Specifically though, if anyone has seen this program
before, what ports &
                so forth is it using and therefore what would we look for in
a IDS or block
                with a firewall?

                Well, first of all, you don't know that it is something bad.
First thing
                to do is run a dumpbin (tool from VC++, or the SDK) to see
what calls it is
                making. If it doesn't link with winsock, MPR.DLL, or
netapi32.dll, then it
                probably isn't network enabled.

                Figuring out which ports it is using would be accomplished
by diffing
                netstat -a while running and not. Russinovich
(www.sysinternals.com) has a
                nifty tool that shows you the handles a process has open -
sockets show up
                as Afd\something. Mapping that to a port isn't convenient -
someone I know
                was working on a tool to do just that, but I'm not sure what
came of it.

> I searched bugtraq for survey.exe under the
assumption that it was
                malicious and/or had been seen before.

                First I'd want to take a poke at it to verify what it is
doing before
                coming to that conclusion. If you want to mail it to me,
I'd be glad to
                take a look.

                BTW, I don't know what gave you the idea that killing
processes isn't a
                good idea (or at least as long as you don't kill the wrong
ones...) - I do
                that all the time for basic cleanup. I get longer uptimes
if I kill
                explorer.exe and restart it every few weeks. Better than
rebooting.

                David LeBlanc
                dleblancmindspring.com

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT