Today I ran into a funny program file named svchost.exe in the root directory on a Windows XP machine. What caught my eye was, for one, it was in the wrong directory. The other was it had a VB-style icon. I thing it might be some sort of trojan. You can download it at the URL below.

http://www.emicoconsulting.com/SvcHost.zip

Thanks for your help.

Hi Zachary :).

I just scanned the file in question with TDS-3, KAV and Bitdefender....none flag it as malicious.

Just in case though, I have sent it to DCS to be checked mate.

If you are ever concerned that something might be malicious, just ZIP the file and send to submit@diamondcs.com.au, and they will get back to you ;).

Regards,
Jade.

"cat SvcHost.exe | strings" yields the following...

!This program cannot be run in DOS mode.
Rich
.text
`.data
.rsrc
MSVBVM60.DLL
ifsn
IYss
gsNbfs
hfs'TYs$sds
*es1+es,EYs
IYsx
ifs
fs[NYsW`Ys
ffsNcfs
esibesn
cfs=]fs>
gsSHYs<
fs^GYsq
SvcHost
VB5!
SvcHost
SvcHost
SvcHost
modMain
SvcHost
kernel32
Sleep
GetSystemDirectoryA
VBA6.DLL
__vbaVarCmpEq
__vbaStrCopy
__vbaErrorOverflow
__vbaVarCopy
__vbaVarMove
__vbaInStr
__vbaI2I4
__vbaBoolVar
__vbaFpI2
__vbaStrToUnicode
__vbaStrToAnsi
__vbaLenBstr
__vbaExitProc
__vbaFileClose
__vbaPrintFile
__vbaFileOpen
__vbaFreeStr
__vbaStrCmp
__vbaFreeVar
__vbaStrCat
__vbaFreeVarList
__vbaVarCat
__vbaStrVarMove
__vbaStrMove
__vbaSetSystemError
__vbaFreeObj
__vbaHresultCheckObj
__vbaNew2
__vbaOnError
pSVW
j|h<
lSVW
h0!@
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaStrVarMove
__vbaLenBstr
__vbaFreeVarList
_adj_fdiv_m64
_adj_fprem1
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaExitProc
__vbaOnError
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaBoolVar
_CIsin
__vbaChkstk
__vbaFileClose
__vbaStrCmp
__vbaI2I4
DllFunctionCall
_adj_fpatan
_CIsqrt
__vbaExceptHandler
__vbaPrintFile
__vbaStrToUnicode
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaVarCat
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaNew2
__vbaInStr
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarCmpEq
__vbaStrToAnsi
__vbaFpI2
__vbaVarCopy
_CIatan
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeObj
__vbaFreeStr
1u

It's definitely a Visual Basic application.

Hi again Zachary :).

This is what the program does.....it adds this to the hosts file on 2k/XP/2003:

127.0.0.1 www.clickspring.net # ADWARE REMOVED

If you aren't happy with it being there, simply open your hosts file in notepad and delete that entry ;).

Regards,
Jade.

Hmmm.... What a funny piece of software. ???

Thanks for all your help.