W32.Sober in conhost.exe?

Page 2 of 5 FirstFirst 1234 ... LastLast

  1. Posts : 2,899
    Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)

    you see if you remove the conhost.exe
    you essentially cant run command prompts...

    i will do a network log on a idle machine running 6956 and another 6801 and see...
    btw i have MS network monitor if you want to try it too [so far so good with this app]

    i will check with you guys latter about this and compare notes....
      My Computer

  2. Posts : 17
    Windows 7 build 7057
    Thread Starter

    I read somewhere, that conhost.exe hosting cmd's window. It's something like an emulator.
      My Computer

  3. Posts : 50
    Microsoft Windows 6.1 (Build 6801)

    is an email worm written in Visual Basic and packed with the modified version of UPX packer. The infected message could contain one of many different subject lines either in English or German language.

    Some of the messages pretend to be the an update from an anti-virus company.

    Win32:Sober-A contains its own SMTP routine for sending the e-mails. The recipient addresess are harvested from different files on the local machine. The worm installs itself into the system directory on the infected machine under the name SIMILARE.EXE. Two other copies of the worm are stored on the local disk as well. This worm has a special mechanism which is responsible for the keeping the worm active in the memory: it has two processes running and when one of them is terminated, the other one will restart it very quickly.

    Win32:Sober-A adds a filename to the following registry entry so that the worm runs when you logon to your computer:

    It also creates the following file in the Windows system folder:

    This file contains e-mail addresses collected from the system.
      My Computer

  4. Posts : 748
    Vista and now 7 in 32 and 64 bit.

    That is the extract from the Avast definitions. I use Avast on 7 and Vista and it did not detect it. A more thorough check also showed nix so I don't think it is a natural occurrence from all the current downloads.
      My Computer

  5. Posts : 71,733
    64-bit Windows 11 Pro for Workstations

    I did not get any notice from Avast about it either, only with Spybot S&D.
      My Computer

  6. Posts : 2,899
    Windows 7 Ult x64(x2), HomePrem x32(x4), Server 08 (+VM), 08 R2 (VM) , SuSe 11.2 (VM), XP 32 (VM)

    i think its there is very good chance that its a false positve as believe the worm would be requesting access to the net wihich (even if it was dns packets) MS monitor would see those....
    i have not seen anything different in the conhost from other builds apart from the fact that now it will close when i close cmd....

    link: http://www.neowin.net/forum/index.ph...entry590257792


    edit: posted scan no av has reported sober worm...

    Last edited by darkassain; 19 Dec 2008 at 02:14. Reason: typos link scan
      My Computer

  7. Posts : 2

    Spyboot reports conhost as an infection on my computer too...
      My Computer

  8. Posts : 22,814
    W 7 64-bit Ultimate

    Hello alon210, welcome to Se7en Forums!

    As I'm sure you're aware; it is generally believed that it is a false detection.

    Later Ted
      My Computer

  9. Posts : 2

    Thanks for your reply BFK (I think I can say BFK^^)
      My Computer

  10. Posts : 22,814
    W 7 64-bit Ultimate

    Hello again!

    Yes; that's fine. You can call me anything you like; just don't call me late for meals.

    Later Ted
      My Computer

Page 2 of 5 FirstFirst 1234 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 19:11.
Find Us