IIRC, It shows up with a leading space because its a child process of
NTVDM.EXE.
ie. the process list looks like this :
ntvdm.exe
wowexec.exe
lview.exe
Both are notorious resource hogs, but I think you'll find this is standard
16bit app behaviour.
Of course, it wouldn't hurt to make sure that you haven't been compromised.
I could be mistaken here, I don't have any old 16 bit apps to test it
with.......
- Ben
"Kevin Brown"
<kbrownfox@ho To: <[EMAIL PROTECTED]>
me.com> cc:
Subject: RE: Win2K and Lview.exe -- am I
infected?
13/12/2001
05:05 AM
Please
respond to
kbrownfox
While Scott and a few others have pointed out that wowexec.exe is a
legitimate process, I would be concerned if it is using a leading space in
the file name. I've seen trojans that use number 1s instead of lowercase
Ls
in a filename such as "rund11" (as opposed to rundll) to masquerade as a
legitimate app when viewed through task manager. I guess it's possible to
use a leading space for a similar effect.
Brownfox
-----Original Message-----
From: Vachon, Scott [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 11, 2001 11:47 AM
To: [EMAIL PROTECTED]
Subject: RE: Win2K and Lview.exe -- am I infected?
>I discovered that I can go to Task Manager -- Processes, and kill the
>process " wowexec.exe" (with the leading space) and everything will be
>restored to normal behavior.
>Any idea if I have been infected with something and what I can do about
>it?
I don't think you are infected. The wowexec.exe is used (and my explanation
may be somewhat off) to run legacy (or 16 bit) programs on the newer
Microsoft OS's. As it was explained to me, it is a virtual dos window to
run
the program in. Unfortunately, this doesn't always function well and you
get
a lock up or slow down (I believe it accesses the kernel directly and thus
the effect on the entire system). If you watch the processes tab of the
task
manager window when you open the program, you will see the CPU spike to
95-100 percent utilization ! You should find a version of the program you
are running that is compatible with the OS and/or 32 bit vs. 16 bit.
Disclaimer: My own two cents, probably a little off but, in the ballpark.
~S~
