Jump to content


Photo

chameleon svchost.exe - why is this needed

chameleon svchost.exe

  • Please log in to reply
4 replies to this topic

#1 gkdunlap

gkdunlap

    New Member

  • Members
  • Pip
  • 1 posts

Posted 22 July 2013 - 02:47 PM

I have a svchost that runs high on CPU on a Win 7 - 64bit.  I read this article about searching for svchost.exe from the start . When I do the search find one under system32 and one under "C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon" .  What is this for?  I can't rename it. No virus tools pick it up.  Looks suspicious. 



#2 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 22 July 2013 - 03:16 PM

Greetings and welcome :)

You can rename it as long as you have administrative privileges although it is not recommended. As for why it's there and why it's needed, that's because many forms of malware these days will block or allow processes based on their names, and svchost.exe (an essential system process) is one of those names which is frequently allowed to run. This enables Malwarebytes Chameleon to be used to bypass such infections in order to get itself, and thus Malwarebytes Anti-Malware, running in order to remove the infection(s) from the system.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 pondus

pondus

    Elite Member

  • Malware Hunters
  • PipPipPipPipPip
  • 592 posts
  • Gender:Male
  • Location:Bergen - Norway

Posted 22 July 2013 - 03:32 PM

 

"C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon" .  What is this for?

Use Chameleon to run Malwarebytes Anti-Malware on infected systems

http://helpdesk.malw...nfected-systems


Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.



109451_tmb_343479479_2013-07-15_205112.j


#4 David H. Lipman

David H. Lipman

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,256 posts
  • Gender:Male
  • Location:Jersey Shore USA
  • Interests:Malware Research, dSLR Photography, Numismatics & Surf Fishing

Posted 22 July 2013 - 03:56 PM

The objective of malware is to run its payload on one's infected computer as long as possible.

 

To effect this, malware will perform various "self preservation" techniques.  One is to set a local policy to disable the Task Manager so one can not "kill" a malicious process.  Another is to have a laundry list of anti malware program and/or utility names and while the malicious software is running, it will block the execution of these software programs and/or utilities.

 

To thwart this kind of activity, one can rename an anti malware program and/or utility to a common name that the malware wants to run such as "IEXPLORE.EXE" which is the executable for Internet Explorer.  Others may also block the execution of any EXE files.  Then one can rename an anti malware program and/or utility to have a .COM executable extension.  For example many will have in their list "Process Explorer" by Sysinternals (a division of Microsoft).  One can copy the file utility from "procexp.exe" to something inane such as "dave.com" and then execute "dave.com".

 

Malwarebytes has created a set of alternative names to help thwart this kind of malicious software self preservation activity and it is called "Chameleon".


David H. Lipman
DLipman@Verizon.Net

#5 shadowwar

shadowwar

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,251 posts
  • Gender:Male

Posted 22 July 2013 - 05:05 PM

One Thing to add. This svchost does not run in memory. Only time it runs is when u execute chameleon. This is not your problem with memory usage as it doesnt normally run.

 

The microsoft Svchost.exe in sysdir is just the parent process. U need to figure out what is running underneath it that is causing the memory issue. U can use process explorer to help figure this out. Or visit our computer help subforum.


Rich Matteo
Research Engineer

staff.png

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users