Re: Strange services.exe file
From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 12/10/03
- Previous message: Mortis: "RE: forcdos.exe = serv-u...."
- In reply to: Dano: "Strange services.exe file"
- Next in thread: Josh.Berry_at_compucom.com: "RE: Strange services.exe file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 10 Dec 2003 04:33:23 -0800 (PST) To: incidents@securityfocus.com
> Hello, I came across a strange services.exe file in
> WinXP and don't know
> how it got there. This services.exe landed in the
> root
> c:\windows\services.exe with a hidden attrib flag
> set. There was also a
> registry key set at
> HKLM/software/microsoft/windows/currentversion/run
> with the value "services C:\WINDOWS\services.exe
> -i". What it appeared to
> do was send data back to hosts
> dhcp-ve3-101.cable.amis.net
> (212.18.53.101) and um-sd04-907.uni-mb.si
> (164.8.15.109).
Did a Google search, or search of A/V sites turn up
anything?
> I'm stil in
> progress of disecting this to find out what exactly
> it does.
Well, a couple of ways to do that would be to run
openports.exe, dump the process memory and run
strings, and use Dependancy Walker on the executable.
> Does anyone know anything about this?
Can you provide a copy of it, zipped up?
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Mortis: "RE: forcdos.exe = serv-u...."
- In reply to: Dano: "Strange services.exe file"
- Next in thread: Josh.Berry_at_compucom.com: "RE: Strange services.exe file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
