Svchelper.exe...probably unknown NewHeur_PE virus

Discussion in 'NOD32 version 2 Forum' started by hispanico, Jul 9, 2005.

Thread Status:
Not open for further replies.
  1. hispanico

    hispanico Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    6
    My Nod32 2.5 with last signature, report:

    C:\windows\system32\svchelper.exe.....probably unknown NewHeur_PE virus

    ...svchelper.exe is a file of windows system....i don't know if i must deleted or like see in other forum....is a false warning..??

    Thank for help
    Wal
     
  2. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    C:\windows\system32\svchelper.exe is not on my Windows XP SP2 computer. I do a Google search for it and get nothing at all. I bet it really is a new virus.

    If that file is still on your computer, right-click it, look at Properties, and check the Creation Date in the General tab. On the Version tab, look at the Description field and also look at the other info, like Company, File Version, etc. A file that is really from Microsoft will have good values for all these fields. A virus usually has nothing or garbage here.
     
  3. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    Likewise, no such file on my Win XP SP2 pc.

    I would submit it to Eset for further analysis.

    Regards,

    Jag
     
  4. hispanico

    hispanico Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    6
    Some note from Properties of file (right click):

    Description:Generic Host Process for Win32 System Helper
    Product:Microsoft® Windows® Operating System
    Version: 5.02.0479
    Company:Microsoft Corporation
     
  5. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    That file is not on my computer either o_O
     
  6. hadi

    hadi Guest

    no. not on mine
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    ... nor on mine... I don't think there even IS a MS file by that name...

    I suggest you upload Svchelper.exe at Jotti's in order for it to be tested:

    http://virusscan.jotti.org/

    Please give us a copy and paste of the scan results.
     
  8. Marauder

    Marauder Registered Member

    Joined:
    Jun 17, 2005
    Posts:
    28
    I don't thave that file either.
     
  9. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Uh, oh. It sounds like virus writers are starting to get more clever. :eek: What is the creation date of that file?
     
  10. hispanico

    hispanico Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    6
    fROM: http://virusscan.jotti.org/

    Report:

    File: svchelper.exe
    Status:
    POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
    MD5 91c70f2aeddee196397090d1d2caf755
    Packers detected:
    -
    Scanner results
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    Fortinet Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found probably unknown NewHeur_PE (probable variant)
    Norman Virus Control Found nothing
    UNA Found nothing
    VBA32 Found nothing

    .....
     
  11. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Put this file on quarantine, sent it to ESET for analysis and wait for the next updates to see what will happen... ;)
     
  12. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I'd like to have a closer look at this file myself, if possible.

    You can send it to submit_stuffATxs4all.nl for analysis. (replace 'AT' by @)

    Much appreciated! :)
     
  13. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    The version number of that file is not right either. All WinXP system files (except DirectX) are supposed to be of version number 5.1.xxxx, not 5.0.xxxx
     
  14. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Well, there's absolutely nothing at all to be found on this file on the Net, and it it were indeed a Windows file that would be rather unlikely...
     
  15. GuruGuy

    GuruGuy Registered Member

    Joined:
    Jun 18, 2005
    Posts:
    48
    There is a file called "svchelper" that is on google......looks like it may have something to do with Tight VNC server software.........

    Do a google on svchelper
     
  16. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Yes, but it refers to a SVCHELPER option, doesn't mention a file by that name tho...

    I'd really like a copy of that file as requested. That should hopefully help identifying it.

    If necessary, I'll simply execute it and log what happens.
     
  17. hispanico

    hispanico Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    6
    ....okay i send tje file to NOD32 mail support...and await some news....i hope

    Thank to all
    Wal
     
  18. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Would you send me a copy as well, please? I'd like to have a closer look at it myself.
    You *might* just get a swifter reaction that way too... :D

    Thanks! :)
     
  19. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    To all who have been following this thread. ;)

    It appears to be a new strain of the Rbot series with the XTreme-Protector 1.05 packing method.

    A port is opened to irc2.tin.it:6667.

    Sound familiar?
     
    Last edited: Jul 10, 2005
  20. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    A demonstration of NOD advanced heuristics in action.
     
  21. hispanico

    hispanico Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    6
    .....Tony...no problem...send me a PM with your mail

    Wal
     
  22. FanJ

    FanJ Guest

    Hi Wal,

    For Tony's addy see reply # 12 in this thread ;)
     
  23. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Yup, what Jan said... ;)

    Thanks, Wal! :)

    (and thank you, Jan!)
     
  24. jlo

    jlo Registered Member

    Joined:
    Nov 29, 2004
    Posts:
    475
    Location:
    UK
    Hi,

    Good job Eset on finding that virus first. You may also want to submit the file to http://www.virustotal.com/flash/index_en.html as the file will get passed on to all other AV's that did not detect.

    I know Jotti's scanner does the same but only if 2 or more scanners detect the file as suspect (message said this will not be stored)

    Cheers

    Jlo
     
  25. hispanico

    hispanico Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    6
    ..."For Tony's addy see reply # 12 in this thread "

    Okay i send
    Tk
    Wal
     
Thread Status:
Not open for further replies.