gkdunlap

chameleon svchost.exe - why is this needed

5 posts in this topic

I have a svchost that runs high on CPU on a Win 7 - 64bit.  I read this article about searching for svchost.exe from the start . When I do the search find one under system32 and one under "C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon" .  What is this for?  I can't rename it. No virus tools pick it up.  Looks suspicious. 

Share this post


Link to post
Share on other sites

Greetings and welcome :)

You can rename it as long as you have administrative privileges although it is not recommended. As for why it's there and why it's needed, that's because many forms of malware these days will block or allow processes based on their names, and svchost.exe (an essential system process) is one of those names which is frequently allowed to run. This enables Malwarebytes Chameleon to be used to bypass such infections in order to get itself, and thus Malwarebytes Anti-Malware, running in order to remove the infection(s) from the system.

Share this post


Link to post
Share on other sites

The objective of malware is to run its payload on one's infected computer as long as possible.

 

To effect this, malware will perform various "self preservation" techniques.  One is to set a local policy to disable the Task Manager so one can not "kill" a malicious process.  Another is to have a laundry list of anti malware program and/or utility names and while the malicious software is running, it will block the execution of these software programs and/or utilities.

 

To thwart this kind of activity, one can rename an anti malware program and/or utility to a common name that the malware wants to run such as "IEXPLORE.EXE" which is the executable for Internet Explorer.  Others may also block the execution of any EXE files.  Then one can rename an anti malware program and/or utility to have a .COM executable extension.  For example many will have in their list "Process Explorer" by Sysinternals (a division of Microsoft).  One can copy the file utility from "procexp.exe" to something inane such as "dave.com" and then execute "dave.com".

 

Malwarebytes has created a set of alternative names to help thwart this kind of malicious software self preservation activity and it is called "Chameleon".

Share this post


Link to post
Share on other sites

One Thing to add. This svchost does not run in memory. Only time it runs is when u execute chameleon. This is not your problem with memory usage as it doesnt normally run.

 

The microsoft Svchost.exe in sysdir is just the parent process. U need to figure out what is running underneath it that is causing the memory issue. U can use process explorer to help figure this out. Or visit our computer help subforum.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.