So I’m reading /. and I ran into the following article: http://slashdot.org/article.pl?sid=04/03/17/1942232&mode=nested&tid=126&tid=128&tid=172&tid=185&tid=190&tid=201
In the article is a link to someone known as the “LURQHQ Thread Intelligence Group” who posts this analysis of the “Phatbot” trojan.
I was fascinated by the capabilities of the Trojan, but thought very little of it, until I ran into the following in the alert:
Look for the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Generic Service Process
The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the “Generic Service Process” registry key. Remove the executable from the Windows system directory.
Here’s the problem. Windows has an internal component called “svchost.exe”, which is known as the “Generic Host Process for Win32 Services”. A naive user looking to see if their system is infected with this Trojan would see the 6 or so copies of svchost.exe running on their system and assume that they were infected.
And the next thing they’d do is to kill those processes, just like the advisory says. Well, what are some of the services they’d be killing?
· AUDIOSRV – the windows audio service. This goes and bye bye audio.
· DHCP – The Dynamic Host Configuration Protocol. Say good by to your TCP/IP networking.
· LanmanServer – The file and print server. If you’ve got a networked printer on your machine, nobody’s printing on it any more.
· LanmanWorkstation – The CIFS client. If that one goes, you’re not accessing remote file&print services.
· ShellHWDetection – This blows away autorun
· Spooler – You’re not printing any more.
And there’s a lot more, those are just the highlights.
One of the more insidious parts of this problem is that even if the user’s machine survives killing all the svchost processes, the next thing the advisory tells the user to do is to delete the file.
But Windows has this really cool feature that’s intended to prevent you from messing up your machine called “Windows File Protection”. In a nutshell, this feature automatically copies critical system files if they’re deleted or overwritten. And, you guessed it – svchost.exe is a critical system file.
So here’s the user following the advice from the security company who removes svchost.exe. And 30 seconds later, the file’s right back where it was!
So what is the ONLY interpretation that they could have? Remember – they believe that this file is a Trojan horse and it’s endangering their system. The only interpretation they could possibly have is that the Trojan has somehow REINFECTED their machine. They try to delete the file again and again and again. And they never get anywhere. So the next thing they do one of two things:
1) They call Product Support and spend lots of money to discover that there’s no real problem, or…
2) They write up an email about this hideous Trojan horse called svchost.exe that’s installed on their machine that they can’t remove and asking their friends for help.