- Community Home
- >
- Servers and Operating Systems
- >
- Legacy
- >
- Networking
- >
- Re: Virus Warning scvhost.exe
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-10-2003 03:25 PM
тАО09-10-2003 03:25 PM
The amount of traffic the thing can generate is amazing and just to make matters interesting it likes to forge the source addresses of the packets it sends so you sometimes have to chase it down by following its MAC address through the switch network.
Once you locate it, disconnect the network cable and remove the two entries ( "Config Loader" = SCVHOST.EXE ) in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionRunServices
Restart and then go to winnt\system32 and delete the scvhost.exe file. (And empty the recycle bin afterwards.)
Patch with the MS03-001 (RPC Locator)
MS03-026 (Dcom RPC) patches from Microsoft before letting it get back on line.
Norton's LiveUpdate was dated 9/4 until about an hour ago and the virus was discovered 9/5 so it was no help. Their intelligent update supposedly did have the fix but since it took down our internet link we had no way to get it.
http://vil.mcafee.com/dispVirus.asp?virus_k=100611
Moral of the story is don't rely on your firewall to protect you. Keep your patches up to date and don't forget the people who were on vacation or on a trip when you installed the patches the first time! Don't rely on Norton's live update. Better to have a script download the Intelligent updater file every day and put it on the NAV server.
And keep a supply of food at work so you don't starve when you have to work all night fighting the thing like I did. Went home this morning at 5:30. Came back at 11 to find it had flared up again. I hate laptops!
Ron
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-10-2003 08:39 PM
тАО09-10-2003 08:39 PM
Re: Virus Warning scvhost.exe
Thanks for the howto.. Sorry it cost you though.
Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2003 11:39 AM
тАО09-12-2003 11:39 AM
Re: Virus Warning scvhost.exe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2003 05:41 PM
тАО09-12-2003 05:41 PM
Re: Virus Warning scvhost.exe
I had the same problem and I just reversed the positions of the c and the v and that fixed it.
Who else!
Roger
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2003 03:42 AM
тАО09-14-2003 03:42 AM
Re: Virus Warning scvhost.exe
Seriously: MS has a tool which will scan your network and report any systems which are still vulnerable to the "Worms of August."
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=13AE421B-7BAB-41A2-843B-FAD838FE472E
Even after being hit with all four worms and thinking we had upgraded everyone the tools still found 8 vulnerable systems so I urge anyone who has a network of the beasts to download and run the tool. It doesn't take long for it to run and it also reports on the new 039 vulnerability.
Ron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2003 06:52 AM
тАО09-14-2003 06:52 AM
Re: Virus Warning scvhost.exe
No Points? (LOL, as they say!)
I just checked my two machines...
one had both installed but the other had only the earlier one.
Thanks.
Roger
Roger
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2003 08:38 AM
тАО09-14-2003 08:38 AM
Re: Virus Warning scvhost.exe
I think this thread points to the importance of using an automated system like SUS to apply Critical Updates. Here is more info about my experience with this free MS server app:
http://bizforums.itrc.hp.com/cm/QuestionAnswer/1,,0x2ad16fc82347594ca444e23e25ed35ff,00.html
Also, thanks for posting the link to the scan tool. These MS scan tools are quite useful to get a quick snapshot of network vulnerability.
It does seem like MS is paying more attention to security lately.
:-) Jay
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2003 01:15 PM
тАО09-14-2003 01:15 PM
Re: Virus Warning scvhost.exe
Sorry to hear of your infection. Some of us who run networks and servers become complacent in applying patches at times.
First, not all patches are necessary. If it aint broke, don't fix it is generally a wise attitude, but it can bite you when you become infected through a laptop or "user error."
Secondly, some patches are quick fixes, only to be succeeded by version 2 or version 3, 4, and 5 after the Microsoft system engineering team rethinks the problem. Sometimes the patch causes more problems then the original bug, bringing down a critical system. Regardless, it is frustrating to have to apply the same patch multiple times.
So, I, like many of my colleagues, have a wait and see attitude about applying patches.
However, there have been a few bad bugs that have required immediate fixes. The W32.Blaster.Worm bug was one example of this (MS03-026). As of Sept 10, a new RPC problem, outlined in MS03-039 appeared which if left unpatched, will soon have a vector similar to the Blaster worm. (For further info, see our website at http://www.mesainteractive.com/blaster_RPC2.asp which contains info on this vulnerability and links to the Microsoft site for patches and info.)
Please apply this patch today if you already haven't. We're in for another batch of attacks on ports 135, 139, and related.
The Blaster worm was flawed. Perhaps the hoodlums who are working on this new exploit will fix some of those problems and this new worm will be more deadly than Blaster or the Gaobot worm that infected your enterprise.
The decision to patch is an artform. Tools like the RPC scanner you mention and the Windows Update service are invaluable to those of us who have to keep systems up to date, but no tool is going to have the judgement a good sysadmin applies in the decision of when and where to apply a particular patch. Each enterprise has it's own characteristics, needs and priorities, and no one has yet built a software model to make the proper decision of to patch or not to patch. Until then, our job is going to be harder and more time consuming.
But, from experience, I know that it is so much easier to patch than it is to remove a virus from an active network.
I used to have a test platform in which to test patches before I applied them. I know am running NT, 2000, and 2003 servers, with different configurations, so the model is too complex. I do however, have backups readily available incase a patch goes wrong. And I don't use automated systems like SMS or SUS to patch servers.
Hope this little bit of advice helped. Good luck to all in keeping the gremlins outside the castle walls.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-15-2003 08:54 AM
тАО09-15-2003 08:54 AM
Re: Virus Warning scvhost.exe
Ron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-04-2003 08:10 PM
тАО11-04-2003 08:10 PM
Re: Virus Warning scvhost.exe
The virus was residing in
winnt/system32/wins/scvhost.exe
and booted itself with a registry entry at
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/cfgldr
This seemed to be a full registry entry (subkeys, etc) describing a system service. I backed up the entry and erased the entire cfgldr key, rebooted and erased the scvhost.exe. Now the server runs about 170% faster :)
-Patrick