Networking
1748127 Members
3970 Online
108758 Solutions
New Discussion юеВ

Re: Virus Warning scvhost.exe

 
SOLVED
Go to solution
Ron Kinner
Honored Contributor

Virus Warning scvhost.exe

No, the above is not a typo. There are usually three of the benign svchost.exe processes running on a basic Win2K box but the virus is scvhost.exe. (v and c reversed) Task manager will show it being a CPU hog.

The amount of traffic the thing can generate is amazing and just to make matters interesting it likes to forge the source addresses of the packets it sends so you sometimes have to chase it down by following its MAC address through the switch network.

Once you locate it, disconnect the network cable and remove the two entries ( "Config Loader" = SCVHOST.EXE ) in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionRun

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionRunServices

Restart and then go to winnt\system32 and delete the scvhost.exe file. (And empty the recycle bin afterwards.)

Patch with the MS03-001 (RPC Locator)
MS03-026 (Dcom RPC) patches from Microsoft before letting it get back on line.

Norton's LiveUpdate was dated 9/4 until about an hour ago and the virus was discovered 9/5 so it was no help. Their intelligent update supposedly did have the fix but since it took down our internet link we had no way to get it.

http://vil.mcafee.com/dispVirus.asp?virus_k=100611

Moral of the story is don't rely on your firewall to protect you. Keep your patches up to date and don't forget the people who were on vacation or on a trip when you installed the patches the first time! Don't rely on Norton's live update. Better to have a script download the Intelligent updater file every day and put it on the NAV server.

And keep a supply of food at work so you don't starve when you have to work all night fighting the thing like I did. Went home this morning at 5:30. Came back at 11 to find it had flared up again. I hate laptops!

Ron




10 REPLIES 10
Jon Finley
Honored Contributor

Re: Virus Warning scvhost.exe

You da Man Ron!

Thanks for the howto.. Sorry it cost you though.

Jon
"Do or do not. There is no try!" - Yoda
GK_5
Regular Advisor

Re: Virus Warning scvhost.exe

I had the same problem. Installing Microsoft updates and SP4 fixed it.
IT is great!
Roger Faucher
Honored Contributor

Re: Virus Warning scvhost.exe

Ron:

I had the same problem and I just reversed the positions of the c and the v and that fixed it.

Who else!
Make a great day!

Roger
Ron Kinner
Honored Contributor

Re: Virus Warning scvhost.exe

Very funny Roger. Hope you are ready for a lot of requests on how to do that.

Seriously: MS has a tool which will scan your network and report any systems which are still vulnerable to the "Worms of August."

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=13AE421B-7BAB-41A2-843B-FAD838FE472E

Even after being hit with all four worms and thinking we had upgraded everyone the tools still found 8 vulnerable systems so I urge anyone who has a network of the beasts to download and run the tool. It doesn't take long for it to run and it also reports on the new 039 vulnerability.

Ron
Roger Faucher
Honored Contributor

Re: Virus Warning scvhost.exe

Hey Ron:

No Points? (LOL, as they say!)

I just checked my two machines...
one had both installed but the other had only the earlier one.

Thanks.

Roger
Make a great day!

Roger
Jay Bollyn
Honored Contributor

Re: Virus Warning scvhost.exe

Ron,

I think this thread points to the importance of using an automated system like SUS to apply Critical Updates. Here is more info about my experience with this free MS server app:

http://bizforums.itrc.hp.com/cm/QuestionAnswer/1,,0x2ad16fc82347594ca444e23e25ed35ff,00.html

Also, thanks for posting the link to the scan tool. These MS scan tools are quite useful to get a quick snapshot of network vulnerability.

It does seem like MS is paying more attention to security lately.

:-) Jay



check Facebook
Kurt Matthies
Valued Contributor

Re: Virus Warning scvhost.exe

Hi Ron,

Sorry to hear of your infection. Some of us who run networks and servers become complacent in applying patches at times.

First, not all patches are necessary. If it aint broke, don't fix it is generally a wise attitude, but it can bite you when you become infected through a laptop or "user error."

Secondly, some patches are quick fixes, only to be succeeded by version 2 or version 3, 4, and 5 after the Microsoft system engineering team rethinks the problem. Sometimes the patch causes more problems then the original bug, bringing down a critical system. Regardless, it is frustrating to have to apply the same patch multiple times.

So, I, like many of my colleagues, have a wait and see attitude about applying patches.

However, there have been a few bad bugs that have required immediate fixes. The W32.Blaster.Worm bug was one example of this (MS03-026). As of Sept 10, a new RPC problem, outlined in MS03-039 appeared which if left unpatched, will soon have a vector similar to the Blaster worm. (For further info, see our website at http://www.mesainteractive.com/blaster_RPC2.asp which contains info on this vulnerability and links to the Microsoft site for patches and info.)

Please apply this patch today if you already haven't. We're in for another batch of attacks on ports 135, 139, and related.

The Blaster worm was flawed. Perhaps the hoodlums who are working on this new exploit will fix some of those problems and this new worm will be more deadly than Blaster or the Gaobot worm that infected your enterprise.

The decision to patch is an artform. Tools like the RPC scanner you mention and the Windows Update service are invaluable to those of us who have to keep systems up to date, but no tool is going to have the judgement a good sysadmin applies in the decision of when and where to apply a particular patch. Each enterprise has it's own characteristics, needs and priorities, and no one has yet built a software model to make the proper decision of to patch or not to patch. Until then, our job is going to be harder and more time consuming.

But, from experience, I know that it is so much easier to patch than it is to remove a virus from an active network.

I used to have a test platform in which to test patches before I applied them. I know am running NT, 2000, and 2003 servers, with different configurations, so the model is too complex. I do however, have backups readily available incase a patch goes wrong. And I don't use automated systems like SMS or SUS to patch servers.

Hope this little bit of advice helped. Good luck to all in keeping the gremlins outside the castle walls.
If if ain't broke, don't fix it.
Ron Kinner
Honored Contributor

Re: Virus Warning scvhost.exe

The MS scanner I gave the link to also checks for the presence of the 039 patch too.

Ron
Patrick Coleman_5
New Member

Re: Virus Warning scvhost.exe

Just wanted to post my experiances:
The virus was residing in
winnt/system32/wins/scvhost.exe
and booted itself with a registry entry at
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/cfgldr

This seemed to be a full registry entry (subkeys, etc) describing a system service. I backed up the entry and erased the entire cfgldr key, rebooted and erased the scvhost.exe. Now the server runs about 170% faster :)
-Patrick