Friday, July 31, 2009

Fun tracking down malware - svcchost.exe

I love being tech support. Found a little nasty called svcchost.exe (classic!) on a family windows computer. Run key in:

C:\Documents and Settings\username\Application Data\Microsoft\svcchost.exe


1 0.000000 DNS Standard query A
2 0.000590 DNS Standard query response A
3 0.000895 TCP 1588 > 3085 [SYN] Seq=0 Win=16384 Len=0 MSS=1460

Reported to McAfee. They actually have some decent advice for finding runkeys:
On Windows XP systems, click START RUN, type MSCONFIG and hit ENTERClick the Startup tab.

A McAfee monkey in Bangalore produced a signature and sent back an extra.dat file in just a few minutes. Mission accomplished.

No comments: