SVCHOST- port 1027- UDP (bad?)

I know this isn’t a firewall forum, but you guys are very helpful and knowledgeable on security issues. I’ve got Outpost Firewall, and the svchost app is preconfigured to access the net.

However, it repeatedly tries to access different remote hosts, through UDP protocol, port 1027. Does this sound like a virus/trojan? And should I allow complete access to svchost?

My apologies if this is not the right place to ask- anyways, any help is much appreciated. :slight_smile:

That port (1027 udp) is normally used by ExoSee.

ExoSee is a communication system for file-sharing between users allover the world through Communities-Oriented-Environment. The software is entirly user-direct with the ability to share files Privatly and/or publicly. Files transfert-system is fast and safe with powerful features such as exploring Online-users shared foldres in a Windows Explorer look-a-like environment.

But also the ICKiller trojan is using it.

If it is harmfull or not in your case is something you have to find out.
See what process (file) is using the svchost for the connection.
SysIntrenals has utils for that.

svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated. Note: svchost.exe is a process which is registered as the W32.Welchia.Worm. It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow and instigates your computer to shut down. To see more information about this vulnerability please look at the following Microsoft bulletin: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx This is a registered security risk and should be removed immediately.

Thanks, I’m gonna look into that- although I’m not using any filesharing app & haven’t heard of ExoSee.

Is it okay if I restrict SVCHOST from using UDP? Does it even need UDP access?

Looking at that internals website, there are so many apps… which is the one you’re talking about? Process Explorer?

Because I’m using P.E. and it doesn’t tell what it using svchost… just that svchost is open.

Get Process Explorer from there, as it will give you the file location of the process (more then Taskmanager can do)

–lee

can you please explain the possible probs with svchost.exe again? i looked at the link suggested and it made no sense whatsoever to me.
I have a virus in svchost.exe which avast cant get rid of, so does that mean the whole file is the dodgy thing already mentioned? this w32 welchia worm??

I have a virus in svchost.exe which avast cant get rid of, so does that mean the whole file is the dodgy thing already mentioned? this w32 welchia worm??
I have a virus in svchost.exe which avast cant get rid of
What is the location of the infected file, example (C:\windows\system32\infected-filename.xxx)? Why can't avast get rid of it, what message was displayed?

If you do have the W32.Welchia.Worm, then your system is in serious need of update.

W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including:
* The DCOM RPC vulnerability (first described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit. Users are recommended to patch this vulnerability by applying Microsoft Security Bulletin MS03-039.
* The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. As coded in this worm, this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems.

W32.Welchia.Worm does the following:

* Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then restart the computer
* Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic
* Attempts to remove W32.Blaster.Worm</blockquote>

svchost is NOT a virus.

You need to keep your sytem up-to-date with ALL security patches/updates

Click on the link in my signature, visit the malware removal section and do as instructed there.

i just did a scan to get all the correct details that you asked for, and avast suddenly decided it would deal with it, along with a couple of other viruses that i have posted about in this forum (when i couldnt get rid of them)! so, i dont know whats going on but its all good!

ok, so the virus in svchost has reapeared and wont be got rid of…will post about it my origanal one, trojano-964
x x x