Re: Strange services.exe file

• Previous message: Josh.Berry_at_compucom.com: "RE: Strange services.exe file"
• In reply to: Dano: "Strange services.exe file"
• Next in thread: Tomasz Papszun: "Re: Strange services.exe file"
• Reply: Tomasz Papszun: "Re: Strange services.exe file"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 11 Dec 2003 00:28:40 +1300
To: incidents@securityfocus.com

Dano <dan@thejamzone.com> wrote:

> Hello, I came across a strange services.exe file in WinXP and don't know
> how it got there. This services.exe landed in the root
> c:\windows\services.exe with a hidden attrib flag set. There was also a
> registry key set at HKLM/software/microsoft/windows/currentversion/run
> with the value "services C:\WINDOWS\services.exe -i". What it appeared to
> do was send data back to hosts dhcp-ve3-101.cable.amis.net
> (212.18.53.101) and um-sd04-907.uni-mb.si (164.8.15.109). I'm stil in
> progress of disecting this to find out what exactly it does. Does anyone
> know anything about this?

Please send a copy of it to some reverse engineering experts -- perhaps
folk who make a living doing such stuff such as the malware analysts at
the large antivirus companies. I have included my standard list of
suspicious file submission addresses to save you having to dig them out
for yourself -- please send the file to several of these that you trust
to do the right thing...

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Josh.Berry_at_compucom.com: "RE: Strange services.exe file"
• In reply to: Dano: "Strange services.exe file"
• Next in thread: Tomasz Papszun: "Re: Strange services.exe file"
• Reply: Tomasz Papszun: "Re: Strange services.exe file"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]