asked on

What is system2 service?

We have a Domain controller and are having problems with it.
One of the services running is a system2 service and svvchost.exe (not svchost.exe) is associated with this service.
Has anyone ever heard of this and what is it for?

ASKER CERTIFIED SOLUTION

JConchie

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

JConchie

W32.HLLW.Gaobot.AO
Discovered on: September 30, 2003
Last Updated on: March 10, 2004 03:08:52 PM

W32.HLLW.Gaobot.AO is a minor variant of W32.HLLW.Gaobot.AF. It attempts to spread to network shares that have weak passwords and allows hackers to access an infected computer through IRC.

The worm uses multiple vulnerabilities to spread, including:

The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP ports 135 and 445.
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007), using TCP port 80.

W32.HLLW.Gaobot.AO is compressed with UPX.

--------------------------------------------------------------------------------
Note: Virus definitions dated prior to October 1, 2003 may detect this worm as a hack tool.
--------------------------------------------------------------------------------

Symantec Security Response has developed a removal tool to clean the infections of W32.HLLW.Gaobot.AO. This is the preferred method in most cases.

Also Known As: W32/Gaobot.worm.gen.b [McAfee], Backdoor.Agobot.3.x [Kaspersky]

Type: Worm
Infection Length: 207,872 bytes, varies

Systems Affected: Windows 2000, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 95, Windows 98, Windows Me

Virus Definitions (Intelligent Updater) *
October 01, 2003

Virus Definitions (LiveUpdate™) **
October 01, 2003

*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.

Wild:

Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate
Threat Metrics

Wild:
Low
Damage:
Medium
Distribution:
Medium

Damage

Payload:
Releases confidential info: Allows unauthorized remote access.
Distribution

Subject of email: N/A
Name of attachment: N/A
Ports: 135, 445
Target of infection: Accounts with weak passwords; systems not patched against the DCOM RPC vulnerability.

When W32.HLLW.Gaobot.AO runs, it does the following:

Copies itself into the %System% folder as one of the following:

Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe

SOLUTION

Luc Franken

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

JConchie

Sorry,
the part of the above that I actually wanted to post is:

When W32.HLLW.Gaobot.AO runs, it does the following:

Copies itself into the %System% folder as one of the following:

Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe

JConchie

Hi Luc,
How's that Belgian chocolate these days? :-)

Luc Franken

How would I know, I live in the Netherlands :)

Long time no see.

JConchie

I knew you were in one or the other, couldn't remember which....just a senior moment on my part
Regards,
Jim

Luc Franken

JConchie

split points...me and lucf