Bottom line I've been analyzing a hack that appears to be related to WMF/CHM exploits. While doing so I happened to catch a number of active TCP connections attached to PID 0 (System Idle Process).
I thought "System Idle Process" was, essentially, a placeholder for reflecting 'unused' CPU cycles. Can someone explain why it would reflect active TCP connections via 'process explorer'?
I don't want to waste time analysing the hack so, if the TCP connections related to PID 0 are 'normal', it would help to know that.
XP PRO SP2 (current). NIS 2006 (current). Trojan-hunter (current). At the time was running TCPVIEW and PROCESS EXPLORER and this was shortly after boot.