svbhost.exe

  • Thread starter Thread starter badgolferman
  • Start date Start date
B

badgolferman

One of our WXP image generating computers got infected with a process
named svbhost.exe. The IT Security guys shut down the network
connections when they realized the computer was sending data to a
foreign country on the bad list. They also copied its drive to analyze
what was going on. We need this machine for image generation in our
simulator so they let it remain active, but it's not a danger to anyone
else since the connection to the LAN has been shut off. It has two NIC
cards, one for external connection and one for an internal local
connection with two other machines.

Today we discovered other problems it had left behind. The other two
image generating computers that map drives to it couldn't log on to it.
The error message was something like "The remote user is not authorized
access to this shared drive." Not exact words but something to that
affect. After creating, recreating, editing permissions, shares and
users we realized all the user groups had been corrupted.
Administrators, Power Users, Users, etc. were no good anymore and new
groups had to be created with new users and new permissions.

To remove the malware we tried to stop the svbhost.exe process but it
would immediately restart itself. We discovered a Service named
"network connections" (lower case) and a registry entry of the same
title. Those entries were exported first and then deleted. Then we
were able to stop the process permanently.

Everything seems okay right now but we are probably going to restore an
image from last month. Unfortunately that will not include the tweaks
that have been incorporated but hopefully it will also not include the
other problems.
 
One of our WXP image generating computers got infected with a process
named svbhost.exe.
Click to expand...

Likely to to be a Spbot (Agobot) variant. Why not talk in terms of the
malware names antivirus scanners assign to the worm? Uploading the
file to Virus Total and/or jotti will give you that info. Use of a
good up to date av product should clean up the drive.

Art

http://home.epix.net/~artnpeg
 
badgolferman said:
One of our WXP image generating computers got infected with a process
named svbhost.exe.
Click to expand...
Everything seems okay right now but we are probably going to restore an
image from last month. Unfortunately that will not include the tweaks
that have been incorporated but hopefully it will also not include the
other problems.
Click to expand...

When you've been owned and infected by something, the standard
recommendation is to reinstall from original media. It's the only way
to be certain you're machine is clean.

I'd think that a machine you use to create or distribute images on
would be one where you'd really be wise to follow this
recommendation. Unless you can be 100% sure the snapshots taken
earlier are clean, that's the way to go.
 
Art, 1/26/2006, 2:36:56 PM,
Likely to to be a Spbot (Agobot) variant. Why not talk in terms of the
malware names antivirus scanners assign to the worm? Uploading the
file to Virus Total and/or jotti will give you that info. Use of a
good up to date av product should clean up the drive.

Art

http://home.epix.net/~artnpeg
Click to expand...

SAV 10 with updated definition files did not catch it.
 
When you've been owned and infected by something, the standard
recommendation is to reinstall from original media. It's the only way
to be certain you're machine is clean.

I'd think that a machine you use to create or distribute images on
would be one where you'd really be wise to follow this
recommendation. Unless you can be 100% sure the snapshots taken
earlier are clean, that's the way to go.
Click to expand...

I agree with your assessment, however we are in the beginning of a
six-week production run with pilots and can't afford to lose any more
time than we already have. Starting from scratch will take many days
and many people.
 
badgolferman said:
I agree with your assessment, however we are in the beginning of a
six-week production run with pilots and can't afford to lose any more
time than we already have. Starting from scratch will take many days
and many people.
Click to expand...

Don't forget to factor the cost of distributing a production run that
includes a virus as well as the likelihood into the risk assessment
that guides your decisionmaking here.

Dunno what sort of widgets you're making, but if I got an image from a
company that included a virus, I sure as hell would play the hammer to
their nail, and start shopping elsewhere if at all possible. If I
can't trust original media from some place due to lax, path of least
resistance response to security incidents, I would shop elsewhere in a
heartbeat.


Best Regards,
 
Don't forget to factor the cost of distributing a production run that
includes a virus as well as the likelihood into the risk assessment
that guides your decisionmaking here.
Click to expand...

I have brought this up. Management wants to keep it working for now
with no more down time. Since the three machines are a local network
they feel relatively safe. IT Security is not insisting on anything
yet.
Dunno what sort of widgets you're making, but if I got an image from a
company that included a virus, I sure as hell would play the hammer to
their nail, and start shopping elsewhere if at all possible. If I
can't trust original media from some place due to lax, path of least
resistance response to security incidents, I would shop elsewhere in a
heartbeat.
Click to expand...

We have Evans & Sutherland EP image generators being used for moving
graphics in Boeing 757 research simulators at NASA. They create
terrain and infra-red graphics that pilots view on the Heads Up Display
and other monitors as they fly around in zero-visibility conditions.

E&S is not at fault for what has occurred. We were hacked from another
NASA center and this file was put on the machine. At this point they
have traced it back and are suspecting industrial espionage.

The ironic thing is that the computer that got infected was hooked up
to the LAN so it could be kept current with SAV pushed definition files.
 
badgolferman said:
One of our WXP image generating computers got infected with a process
named svbhost.exe. The IT Security guys shut down the network
connections when they realized the computer was sending data to a
foreign country on the bad list. They also copied its drive to analyze
what was going on. We need this machine for image generation in our
simulator so they let it remain active, but it's not a danger to anyone
else since the connection to the LAN has been shut off. It has two NIC
cards, one for external connection and one for an internal local
connection with two other machines.

Today we discovered other problems it had left behind. The other two
image generating computers that map drives to it couldn't log on to it.
The error message was something like "The remote user is not authorized
access to this shared drive." Not exact words but something to that
affect. After creating, recreating, editing permissions, shares and
users we realized all the user groups had been corrupted.
Administrators, Power Users, Users, etc. were no good anymore and new
groups had to be created with new users and new permissions.

To remove the malware we tried to stop the svbhost.exe process but it
would immediately restart itself. We discovered a Service named
"network connections" (lower case) and a registry entry of the same
title. Those entries were exported first and then deleted. Then we
were able to stop the process permanently.

Everything seems okay right now but we are probably going to restore an
image from last month. Unfortunately that will not include the tweaks
that have been incorporated but hopefully it will also not include the
other problems.
Click to expand...

What do you folks do for backups?
 
badgolferman said:
I have brought this up. Management wants to keep it working for now
with no more down time. Since the three machines are a local network
they feel relatively safe. IT Security is not insisting on anything
yet.


We have Evans & Sutherland EP image generators being used for moving
graphics in Boeing 757 research simulators at NASA. They create
terrain and infra-red graphics that pilots view on the Heads Up Display
and other monitors as they fly around in zero-visibility conditions.

E&S is not at fault for what has occurred. We were hacked from another
NASA center and this file was put on the machine. At this point they
have traced it back and are suspecting industrial espionage.

The ironic thing is that the computer that got infected was hooked up
to the LAN so it could be kept current with SAV pushed definition files.
Click to expand...

How scary is that? Dont fly in a 757 folks!!!

Bob
 
* * Chas said:
What do you folks do for backups?
Click to expand...

In this case the image generators are on loan to us for evaluation by
the company. Those who maintain it are backing up the partitions with
Norton Ghost to separate partitions.

Normally we backup to the Mass Storage facility that is currently using
magnetic tape. They are due for an upgrade to something else soon.
 
Back
Top