Hi.

With all the scan option enable, Threat Expert detect 3 Heap page of Svchost and Lsass as a Worm.

Report Page : http://www.mediafire.com/?gemjcz9tlee

is it a False positive?

Thanks for reporting this situation - it's actually very interesting.

It sounds like your computer is under attack from a network-aware worm that resides on the same network.

Most likely, your RPC DCOM service has accepted an incoming connection (e.g. on port 445) from a remote computer infected with a worm. The worm running on a remote computer attempts to exploit and infect your machine, thus it constructs a malformed package and sends it across the network to you machine.

Your RPC DCOM service has accepted a connection, received the malformed package and loaded it into the memory buffer. TEMS has detected that malformed package in memory (in the heap, not in the process module itself) and reported it.

It does not mean you are infected, but it means 1) some other computer in your network is infected (most likely with Sasser/Spybot/Randex/Gaobot/IRC bot or some other RPC DCOM worm) and 2) you need to make sure you run an effective firewall for your computer, that would reject such probes.

Hopefully your computer is patched, thus the remote worm was not able to compromise your system. Otherwise, TEMS would have detected the same infection - not in the heap, but in the main module of some other (malicious) process.

Thank you very much Sergei :) . I Use the old versione of PCtools Firewall plus.. I haven't update it because I have Windows Xp, and so I'm afraid that PCtools firewall's drivers could cause some problems (see the image;windows says me that when i try to install it..sorry because i haven't try any image of this in english :o ); the current version doesn't cause any problem, but..

I know this thread is already 2 yrs old, but it's sort of applicable to my situation, too:


It sounds like your computer is under attack from a network-aware worm that resides on the same network.

Most likely, your RPC DCOM service has accepted an incoming connection (e.g. on port 445) from a remote computer infected with a worm. The worm running on a remote computer attempts to exploit and infect your machine, thus it constructs a malformed package and sends it across the network to you machine.

Your RPC DCOM service has accepted a connection, received the malformed package and loaded it into the memory buffer. TEMS has detected that malformed package in memory (in the heap, not in the process module itself) and reported it.

I am actually experiencing something like this, too - however without any other windows machines running on the network, in fact even without any other machines at all, and even when scanning the machine without any network connection at all. Still, TEMS may in some cases find zbot/zeus signatures in some processes.

For example, on one machine (Vista 32 bit) after booting, TEMS finds directly zeus signatures in the windows defender process (spawned via svchost secsvcs.dll), once I stop the service there will not be any matches found any longer.

My impression is that these are either false positives due to unpacked signatures found in memory, or that these are actual matches of zeus/zbot hiding ironically in defender.

However, it is hard to process further without knowing how exactly the comprehensive scan in TEMS works, if it is just looking for insn patterns or really looking for referenced and possibly running code!?