Possible New Trojan Found

Discussion in 'Trojan Defence Suite' started by Zachary Echlin, Mar 15, 2004.

Thread Status:
Not open for further replies.
  1. Today I ran into a funny program file named svchost.exe in the root directory on a Windows XP machine. What caught my eye was, for one, it was in the wrong directory. The other was it had a VB-style icon. I thing it might be some sort of trojan. You can download it at the URL below.

    http://www.emicoconsulting.com/SvcHost.zip

    Thanks for your help.
     
  2. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Hi Zachary :).

    I just scanned the file in question with TDS-3, KAV and Bitdefender....none flag it as malicious.

    Just in case though, I have sent it to DCS to be checked mate.

    If you are ever concerned that something might be malicious, just ZIP the file and send to submit@diamondcs.com.au, and they will get back to you ;).

    Regards,
    Jade.
     
  3. "cat SvcHost.exe | strings" yields the following...

    !This program cannot be run in DOS mode.
    Rich
    .text
    `.data
    .rsrc
    MSVBVM60.DLL
    ifsn
    IYss
    gsNbfs
    hfs'TYs$sds
    *es1+es,EYs
    IYsx
    ifs
    fs[NYsW`Ys
    ffsNcfs
    esibesn
    cfs=]fs>
    gsSHYs<
    fs^GYsq
    SvcHost
    VB5!
    SvcHost
    SvcHost
    SvcHost
    modMain
    SvcHost
    kernel32
    Sleep
    GetSystemDirectoryA
    VBA6.DLL
    __vbaVarCmpEq
    __vbaStrCopy
    __vbaErrorOverflow
    __vbaVarCopy
    __vbaVarMove
    __vbaInStr
    __vbaI2I4
    __vbaBoolVar
    __vbaFpI2
    __vbaStrToUnicode
    __vbaStrToAnsi
    __vbaLenBstr
    __vbaExitProc
    __vbaFileClose
    __vbaPrintFile
    __vbaFileOpen
    __vbaFreeStr
    __vbaStrCmp
    __vbaFreeVar
    __vbaStrCat
    __vbaFreeVarList
    __vbaVarCat
    __vbaStrVarMove
    __vbaStrMove
    __vbaSetSystemError
    __vbaFreeObj
    __vbaHresultCheckObj
    __vbaNew2
    __vbaOnError
    pSVW
    j|h<
    lSVW
    h0!@
    MSVBVM60.DLL
    _CIcos
    _adj_fptan
    __vbaVarMove
    __vbaFreeVar
    __vbaStrVarMove
    __vbaLenBstr
    __vbaFreeVarList
    _adj_fdiv_m64
    _adj_fprem1
    __vbaStrCat
    __vbaSetSystemError
    __vbaHresultCheckObj
    _adj_fdiv_m32
    __vbaExitProc
    __vbaOnError
    _adj_fdiv_m16i
    _adj_fdivr_m16i
    __vbaBoolVar
    _CIsin
    __vbaChkstk
    __vbaFileClose
    __vbaStrCmp
    __vbaI2I4
    DllFunctionCall
    _adj_fpatan
    _CIsqrt
    __vbaExceptHandler
    __vbaPrintFile
    __vbaStrToUnicode
    _adj_fprem
    _adj_fdivr_m64
    __vbaFPException
    __vbaVarCat
    _CIlog
    __vbaErrorOverflow
    __vbaFileOpen
    __vbaNew2
    __vbaInStr
    _adj_fdiv_m32i
    _adj_fdivr_m32i
    __vbaStrCopy
    _adj_fdivr_m32
    _adj_fdiv_r
    __vbaVarCmpEq
    __vbaStrToAnsi
    __vbaFpI2
    __vbaVarCopy
    _CIatan
    __vbaStrMove
    _allmul
    _CItan
    _CIexp
    __vbaFreeObj
    __vbaFreeStr
    1u

    It's definitely a Visual Basic application.
     
  4. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Hi again Zachary :).

    This is what the program does.....it adds this to the hosts file on 2k/XP/2003:

    Code:
    127.0.0.1 www.clickspring.net  # ADWARE REMOVED
    If you aren't happy with it being there, simply open your hosts file in notepad and delete that entry ;).

    Regards,
    Jade.
     
  5. Hmmm.... What a funny piece of software. o_O

    Thanks for all your help.
     
Thread Status:
Not open for further replies.