mschost.exe - Dangerous
mschost.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
The worm targets only Windows 2000 and Windows XP computers.
It recommends that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com).
This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
When worm is executed, it does the following:
Generates an IP address and attempts to infect the computer that has that address.
Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability. The worm sends one of two types of data: either to exploit Windows XP or Windows 2000.
Uses Cmd.exe to create a hidden remote shell process that will listen on TCP port 4444, allowing an attacker to issue remote commands on an infected system.
Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it sends mschost.exe to that computer and then executes it.
The worm contains the following text in the code:
Can you hear me? I LOVE YOU SAN!!
Sucky gates why do you made this windows? Stop fooling around and make good things!!!
Use RegRun Startup Optimizer to automatical remove this worm from system registry.