• ERASEME_62127.EXE
• NEWBULK[1].EXE
• 89303003.DAT
• ERASEME_28023.EXE
• ERASEME_32567.EXE
• ERASEME_25675.EXE
• ERASEME_68544.EXE
• ERASEME_31224.EXE
• ERASEME_35210.EXE
• NEWBOX[1].EXE
• ERASEME_41041.EXE
• NEWBOX[2].EXE
• ERASEME_83547.EXE
• SETUP_26411.EXE
• ERASEME_41657.EXE
• ERASEME_47881.EXE
• SETUP_73217.EXE
• ERASEME_36460.EXE
• ERASEME_50272.EXE
• A0030427.EXE
• ERASEME_45085.EXE
• BUTNOU.EXE
• 75168437.EXE
• 12850163.EXE
• 95839158.EXE
• 36530968.EXE
• 87205642.EXE
• 50856247.EXE
• 46767096.EXE
• 73586562.EXE
• 46394293.EXE
• 52940364.EXE
• SVSHOST.EXE.Q_804500E_Q
• SVSHOST.EXE.Q_804500E_Q.OLD
• 11204965.EXE
• DAVID & LENORA.HOM
• 24602385.EXE
• 95420229.EXE
• 97464973.EXE
• 52032735.0XE
• 74363351.EXE
• 88853003.EXE
• 01773277.EXE
• 99690632.UPL
• 59537244.EXE
• SVSHOST.EXE~
• 85508691.EXE
• 24900826.EXE
• 14969482.EXE
• 86109253.EXE
• 61987507.EXE
• 88221157.EXE
• MTSE.EXE
• REGS.EXE
• SVSHOST.EXE.REN
• SSTP.EXE
• 03096244.EXE

The filename SVSHOST.EXE refers to mutiple instances of an executable program.

The most common file size is 937,984 bytes. But the following file sizes have also been seen:  

• 67,333 bytes
• 66,823 bytes
• 30,720 bytes
• 28,160 bytes
• 774,144 bytes

The unsafe files using this name are associated with the malware group Worm.Ircbot.Gen.

These files have no vendor, product or version information specified in the file header.

SVSHOST.EXE has been seen to perform the following behavior(s):

• The Process is packed and/or encrypted using a software packing process
• This Process Creates Other Processes On Disk
• This Process Deletes Other Processes From Disk
• Creates a TCP port which listens and is available for communication initiated by other computers
• Can communicate with other computer systems using HTTP protocols
• Executes a Process
• Registers a Dynamic Link Library File
• Makes outbound connections to other computers using NETBIOSOUT protocols
• Disables the Notification Baloon for the Windows Security Center
• Enables Access to the Remote Registry Service Within Windows
• Prevents Installation Of Windows XP Service Pack 2
• Disables the DCOM Ability within Windows
• Adds a Registry Key (RUN) to auto start Programs on system start up
• This Process uses Anti Dissasembly Tricks
• The Process is polymorphic and can change its structure
• This Process Contains User Mode Rootkit Functionality
• Enables an In Process Object/Server - Common with DLL Injections
• Writes to another Process's Virtual Memory (Process Hijacking)
• Disables Anonymous Access to the Windows Network Shares
• Executes Processes stored in Temporary Folders
• Adds Products to the system registry
• Enables a COM Object/Server on the Local Machine
• Terminates Processes
• Records Keyboard Input
• Enables the system to use a Communications Proxy Server
• Disables Windows Automatic Updates including Security Updates and Patches