dllhost.exe virus - GoFuckYourself.com

qwe · 09-24-2003, 09:13 PM

Anyone know what this virus all about ?if I try to delete it says access denide, it's located in windows/system32/wins/dllhost.exe (win XP os).. It always uses 9-15kb/s upload speed, even when I blocked it with firewall, it still uses upload speed.

Anyone know how to get rid of it ?

Thanks..

GeorgeTH · 09-24-2003, 09:24 PM

It's NOT a virus!

Before you jump to conclusion why don't you open up google and paste the file name into a search - here's a result from the second-from-top google result http://www.iea-software.com/lists/00...p/00000064.htm

Quote:

dllhost is used on all versions of WIndows 2000. dllhost is the host
process for all COM+ applications.

IIS 5.0 uses COM+ for managing asp pages, and executing them, so when you
call a asp page, dllhost will be used to execute the asp page.

Just leave it there, it is very well behaved.

qwe · 09-24-2003, 09:41 PM

why the hell it uses 10 kb/s of upload speed and norton antivirus says it's a virus?

(¤¤)»»»»»»Þ · 09-24-2003, 10:19 PM

That file has been hit by the WELCHIA virus most likely , as i have heard of it doing that lately..

(¤¤)»»»»»»Þ · 09-24-2003, 10:23 PM

do a search for dllhost.exe and you will find a few other versions of it prob as well. chances are you also have an infected svchost.exe also..

Look for a folder called wins or read this

When W32.Welchia.Worm is executed, it performs the following actions:

Copies itself to:

%System%\Wins\Dllhost.exe

NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Makes a copy of %System%\Dllcache\Tftpd.exe, as %System%\Wins\svchost.exe.

NOTE: Tftpd is a legitimate program, which is not malicious, and therefore Symantec antivirus products will not detect it.

Adds the subkeys:

RpcPatch

and:

RpcTftpd

to the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es

Creates the following services:

Service Name: RpcTftpd
Service Display Name: Network Connections Sharing
Service Binary: %System%\wins\svchost.exe

This service will be set to start manually.

Service Name: RpcPatch
Service Display Name: WINS Client
Service Binary: %System%\wins\dllhost.exe

This service will be set to start automatically.

Ends the process, Msblast, and delete the file %System%\msblast.exe which is dropped by the worm, W32.Blaster.Worm.

The worm will select the victim IP address in two different ways. It will either use A.B.0.0 from the infected machine's IP of A.B.C.D and count up, or it will construct a random IP address based on some hard-coded addresses. After selecting the start address, it will count up through a range of Class C sized networks, for example, if it starts at A.B.0.0, it will count up to at least A.B.255.255.

The worm will send an ICMP echo request, or PING, to check if the IP address constructed is an active machine on the network.

Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.

Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.

Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.

Checks the computer's operating system version, Service Pack number, and System Locale and attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch.

Once the update has been download and executed, the worm will restart the computer so that the patch is installed.

Checks the computer's system date. If the year is 2004, the worm will disable and remove itself.

09-24-2003, 09:13 PM	#1
qwe Confirmed User Join Date: Jul 2003 Posts: 2,109	dllhost.exe virus Anyone know what this virus all about ?if I try to delete it says access denide, it's located in windows/system32/wins/dllhost.exe (win XP os).. It always uses 9-15kb/s upload speed, even when I blocked it with firewall, it still uses upload speed. Anyone know how to get rid of it ? Thanks..

09-24-2003, 10:23 PM	#5
(¤¤)»»»»»»Þ So Fucking Banned Join Date: Sep 2003 Location: Next door Posts: 237	do a search for dllhost.exe and you will find a few other versions of it prob as well. chances are you also have an infected svchost.exe also.. Look for a folder called wins or read this When W32.Welchia.Worm is executed, it performs the following actions: Copies itself to: %System%\Wins\Dllhost.exe NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). Makes a copy of %System%\Dllcache\Tftpd.exe, as %System%\Wins\svchost.exe. NOTE: Tftpd is a legitimate program, which is not malicious, and therefore Symantec antivirus products will not detect it. Adds the subkeys: RpcPatch and: RpcTftpd to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es Creates the following services: Service Name: RpcTftpd Service Display Name: Network Connections Sharing Service Binary: %System%\wins\svchost.exe This service will be set to start manually. Service Name: RpcPatch Service Display Name: WINS Client Service Binary: %System%\wins\dllhost.exe This service will be set to start automatically. Ends the process, Msblast, and delete the file %System%\msblast.exe which is dropped by the worm, W32.Blaster.Worm. The worm will select the victim IP address in two different ways. It will either use A.B.0.0 from the infected machine's IP of A.B.C.D and count up, or it will construct a random IP address based on some hard-coded addresses. After selecting the start address, it will count up through a range of Class C sized networks, for example, if it starts at A.B.0.0, it will count up to at least A.B.255.255. The worm will send an ICMP echo request, or PING, to check if the IP address constructed is an active machine on the network. Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability. Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions. Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe. Checks the computer's operating system version, Service Pack number, and System Locale and attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch. Once the update has been download and executed, the worm will restart the computer so that the patch is installed. Checks the computer's system date. If the year is 2004, the worm will disable and remove itself. Last edited by (¤¤)»»»»»»Þ; 09-24-2003 at 10:26 PM..

09-24-2003, 09:41 PM	#3
qwe Confirmed User Join Date: Jul 2003 Posts: 2,109	why the hell it uses 10 kb/s of upload speed and norton antivirus says it's a virus?

09-24-2003, 10:19 PM	#4
(¤¤)»»»»»»Þ So Fucking Banned Join Date: Sep 2003 Location: Next door Posts: 237	That file has been hit by the WELCHIA virus most likely , as i have heard of it doing that lately..