RE: Strange services.exe file

Josh.Berry_at_compucom.com
Date: 12/11/03

  • Next message: Nick FitzGerald: "Re: Strange services.exe file"
    To: <dan@thejamzone.com>
    Date: Wed, 10 Dec 2003 17:41:46 -0600
    
    

    I have seen lots of Trojans that are named services.exe. Many of the
    have been different variations of Serve-U FTP server. I use fport from
    foundstone to see what ports the executable is listening on and what
    servers/ports it is connecting to.

    -----Original Message-----
    From: Dano [mailto:dan@thejamzone.com]
    Sent: Monday, December 08, 2003 4:40 PM
    To: incidents@securityfocus.com
    Subject: Strange services.exe file

    Hello, I came across a strange services.exe file in WinXP and don't know
    how it got there. This services.exe landed in the root
    c:\windows\services.exe with a hidden attrib flag set. There was also a
    registry key set at HKLM/software/microsoft/windows/currentversion/run
    with the value "services C:\WINDOWS\services.exe -i". What it appeared
    to
    do was send data back to hosts dhcp-ve3-101.cable.amis.net
    (212.18.53.101) and um-sd04-907.uni-mb.si (164.8.15.109). I'm stil in
    progress of disecting this to find out what exactly it does. Does anyone
    know anything about this?
     
    Thanks
    Dan
     

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Nick FitzGerald: "Re: Strange services.exe file"