Tuesday, September 1, 2009

Trojan Hunting in Svchost.exe with Svchost Process Analyzer

"Svchost.exe" (Generic Host Process for Win32 Services) is an integral part of Windows OS. It cannot be stopped or restarted manually. This process manages 32-bit DLLs and other services. At startup, Svchost.exe checks the services portion of the registry and constructs a list of services that it needs to load.

Under normal conditions, multiple instances of Svchost.exe will be running simultaneously. Each Svchost.exe session can contain a grouping of services, so that many services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

Svchost.exe groups are identified in the following registry key:


Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

To view the list of services those are running in Svchost:
  1. Click Start on the Windows taskbar, and then click Run.
  2. In the Open box, type CMD, and then press ENTER.
  3. Type Tasklist /SVC, and then press ENTER.
Tasklist displays a list of active processes. The /SVC switch shows the list of active services in each process. For more information about a process, type the following command, and then press ENTER:
Tasklist /FI "PID eq processID" (with the quotation marks)

The svchost.exe file is physically located in the folder C:\Windows\System32. However, one of the most important services organizers can also be used as a driving vehicle and a hiding mechanism for viruses, spyware, Trojans, or worms.

The possible symptoms of the infections are:
  • Your system becomes sluggish and you find that something called svchost or dllhost is taking nearly 100% of your CPU.
  • Your system reports that svchost has performed an illegal operation and will be terminated. After that, various things fail to work properly, if at all.
  • After you log in, your system automatically reboots in one minute.
Note that you should not be confused from the small difference in the svchost.exe and scvhost.exe (which is called svchost virus). So, the svchost virus is actually a process named scvhost.exe (notice on the “c” and “v” are switched) which is designed to confuse people with the harmless svchost. Scvhost.exe will go into your system and completely shut it down. The virus is actually a Trojan Horse, named W30/Agobot-S virus. This virus will also allow hackers to access your computer and steal passwords and personal data.

The approach of hiding dangerous content in svchost is understandable, since you need to have pretty advanced computer skills for its troubleshooting. The free Svchost Process Analyzer free utility is letting anybody analyze and troubleshoot the system in terms of the presence of the dangerous files and processes. The software lists all svchost instances and checks the services they contain. This makes it easy to uncover Svchost worms like the infamous Conficker worm.

Image and video hosting by TinyPic

While Svchost Process Analyzer does not provide the details that popular process managers like Process Explorer provide, it does list the information in a comprehensible manner. The process analyzer will scan all svchost processes that are running on the Windows operating system upon startup. A click on details will open the main application window, that lists every svchost process in the top window and details about the selected process in the window at the bottom.

Each entry in the lower window is displayed by name, service name and file. Svchost Process Analyzer is compatible with 32-bit and 64-bit editions of Microsoft Windows XP, Windows Vista, Windows 2000, Windows 2003 and Windows 2008.

Main Features:
  • 100% freeware.
  • Doesn't require runtimes.
  • Doesn't require installation (absolutely portable).
  • Doesn't write to the registry.
  • Doesn't modify files outside of its own directories.
  • Does not contain adware / malware / spyware.
  • Small, single executable file, does not require significant computer resources.
Developer: Neuber Software.


Related Posts Plugin for WordPress, Blogger...

Design | Elque 2007