Top 5 malware threats all imitate Windows processes

Top 5 malware threatsWe thought it might be interesting to take a look at the top 5 malware threats listed on the award winning ProcessLibrary.com website. As a note this ranking reflects only the experiences of users of the processlibrary.com website: however with over 300,000 individual process searches per day I am pretty sure that this reflects the situation of most users world wide.

If you look at the list of malware threats do you get an odd feeling of déjà vu? Don’t these Windows processes seem familiar? The reason is that your modern writer of malicious software is a sly creature who will try to disguise his harmful code by giving it a name similar to another harmless, but essential, application.

In the list above isass.exe is trying to disguise itself as the Microsoft system security Windows process lsass.exe, whilst the harmful nvcpl.exe process is imitating the NIVIDIA video card driver (nvcpl.dll). Similarly, scvhost.exe and svhost.exe are both trying to look like the Microsoft Windows process svchost.exe and the crss.exe process is mimicking the name of the csrss.exe component of Microsoft Windows NT.

At this stage it might be useful to check your own PC to find out what processes are running on it. This is actually quite easy to do, as there is a useful free tool, very easy to install from ProcessLibrary.com, called ProcessScanner. Click here to download ProcessScanner.



Free Process Scanner

What’s more it will even give you a risk rating for the processes it finds making it easier to check that there is no malware installed on your machine:


Free Process Scanner

If running a scan every time that you want to check the processes running on your machine, seems like a little bit of a chore, you can take this to the next level by installing another (related) free application called ProcessQuicklink, also from ProcessLibrary.com. This utility is a plugin for the Windows Task Manager and will give you access information on each application from within the Task Manager window:


FREE ProcessQuicklink

A point to mention, before we go on to examine the top 5 malware threats in detail, is that each of these is a nasty piece of work, being a worm or a trojan. If you are unlucky enough to find out, from either of the scans you have just run, that you have one of these processes on your system you should disable or remove it immediately. If you don’t have the expertise to do this yourself you should seek out professional help.

  • ISASS.EXE:
    Part of Optix.Pro virus Isass.exe is registered as the Optix.Pro trojan which carries in it's payload, the ability to disable firewalls and local security protections, and which also contains a backdoor capability allowing a hacker fairly unrestricted access to the infected PC. This trojan was developed by someone going by the name of s13az3 and who formed part of (the since discontinued) Evil Eye Software crew.

  • NVCPL.EXE:
    Part of W32.SpyBot.S Worm Nvcpl.exe is a process which is registered as the W32.SpyBot.S worm (it also seems to be associated with the Yanz.B worm, which may just be another name). It takes advantage of the Windows LSASS vulnerability, which creates a buffer overflow forcing your computer to shut down. Although not necessarily a particularly destructive piece of malware it is a nuisance in that it will access your email address book and send spam to your contacts.

  • CRSS.EXE
    Part of W32.AGOBOT.GH Crss.exe is a process forming part of the W32.AGOBOT.GH worm. This spyware worm is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hope that you open its hostile attachment. The worm has its own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data.

  • SCVHOST.EXE
    Part of W32/Agobot-S virus The scvhost.exe file is a component of the W32/Agobot-S virus. Another member of the Agobot (aka Gaobot) computer worm family, this trojan spreads via networks and allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data.

  • SVHOST.EXE
    Part of W32.Mydoom.I@mm Svhost.exe is a process which is associated with the W32.Mydoom.I@mm worm. This worm is distributed as an e-mail message and requires that you open a hostile attachment. Using its own SMTP engine the Mydoom worm will gather emails from your local computer and redistribute itself. The original Mydoom worm was first spotted in January of 2004 and went on to become the fastest spreading email worm ever. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data however it is also interesting in that, other than the trojan, the other payload it carried was a denial of service attack on the website of SCO Group. Later versions of the worm have included denial of service attacks on other sites including Google and Lycos.

Newsletter Signup    |    Contact Us    |    Privacy Policy    |    Site Map

Copyright © Uniblue Systems Limited 2007. All rights reserved.