Solved

What is system2 service?

Posted on 2004-04-15
12
141 Views
Last Modified: 2010-04-13
We have a Domain controller and are having problems with it.
One of the services running is a system2 service and svvchost.exe (not svchost.exe) is associated with this service.
Has anyone ever heard of this and what is it for?
0
Comment
Question by:staceyb7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
12 Comments
 
LVL 18

Accepted Solution

by:
JConchie earned 25 total points
ID: 10834174
sounds like you have a variant of the Goabot virus.....see:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.ao.html
0
 
LVL 18

Expert Comment

by:JConchie
ID: 10834179


 
  W32.HLLW.Gaobot.AO  
Discovered on: September 30, 2003  
Last Updated on: March 10, 2004 03:08:52 PM

 
 

   
 


W32.HLLW.Gaobot.AO is a minor variant of W32.HLLW.Gaobot.AF. It attempts to spread to network shares that have weak passwords and allows hackers to access an infected computer through IRC.

The worm uses multiple vulnerabilities to spread, including:

The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP ports 135 and 445.
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007), using TCP port 80.

W32.HLLW.Gaobot.AO is compressed with UPX.


--------------------------------------------------------------------------------
Note: Virus definitions dated prior to October 1, 2003 may detect this worm as a hack tool.
--------------------------------------------------------------------------------


Symantec Security Response has developed a removal tool to clean the infections of W32.HLLW.Gaobot.AO. This is the preferred method in most cases.


Also Known As:  W32/Gaobot.worm.gen.b [McAfee], Backdoor.Agobot.3.x [Kaspersky]
 
Type:  Worm
Infection Length:  207,872 bytes, varies
 
 
 
Systems Affected:  Windows 2000, Windows NT, Windows XP
Systems Not Affected:  Linux, Macintosh, OS/2, UNIX, Windows 95, Windows 98, Windows Me
 
 
 


 
Virus Definitions (Intelligent Updater) *
 October 01, 2003
 
 
Virus Definitions (LiveUpdate™) **
 October 01, 2003
 
 
*
 Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.
 
**
 LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
 
 
 




Wild:

Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate
 Threat Metrics
 
         
Wild:
Low
 Damage:
Medium
 Distribution:
Medium
 
 

Damage

Payload:
Releases confidential info: Allows unauthorized remote access.
Distribution

Subject of email: N/A
Name of attachment: N/A
Ports: 135, 445
Target of infection: Accounts with weak passwords; systems not patched against the DCOM RPC vulnerability.


When W32.HLLW.Gaobot.AO runs, it does the following:


Copies itself into the %System% folder as one of the following:

Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe
 
 
 
0
 
LVL 32

Assisted Solution

by:LucF
LucF earned 25 total points
ID: 10834184
Hi staceyb7,

> system2 service and svvchost.exe
Both are NOT windows systemfiles, so I suggest you to do a virusscan as soon as possible

Greetings,

LucF
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 18

Expert Comment

by:JConchie
ID: 10834199
Sorry,
the part of the above that I actually wanted to post is:

When W32.HLLW.Gaobot.AO runs, it does the following:


Copies itself into the %System% folder as one of the following:

Cavapsvc.exe
Csrrs.exe
Cvhost.exe
DIIhost.exe (with capital letter 'i')
Dosrun32.exe
Dos32.exe
Lsas.exe
Regloadr.exe
Schost.exe
Scvhost.exe
Service.exe
Servicess.exe
Sochost.exe
Swchost.exe
System.exe
Update.exe
Wdrun32.exe
Winhlpp32.exe
Winreg.exe
Winupdsdgm.exe
0
 
LVL 18

Expert Comment

by:JConchie
ID: 10834212
Hi Luc,
How's that Belgian chocolate these days?  :-)
0
 
LVL 32

Expert Comment

by:LucF
ID: 10834376
How would I know, I live in the Netherlands :)

Long time no see.
0
 
LVL 18

Expert Comment

by:JConchie
ID: 10834400
I knew you were in one or the other, couldn't remember which....just a senior moment on my part
Regards,
Jim
0
 
LVL 32

Expert Comment

by:LucF
ID: 10834421
:)
0
 
LVL 18

Expert Comment

by:JConchie
ID: 12316218
split points...me and lucf
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Script or program to automatically sycn server 2000 time with an external source 3 512
Windows timing on domain Pcs 4 463
Windows 16 363
Repair old Windows 2000 boot 15 251
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Configuring Remote Assistance for use with SCCM
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question