Re: [mailinglists] Strange services.exe file

From: Tom Wright (tom_at_keyfocus.net)
Date: 12/10/03

  • Next message: RODDY, Dan: "yahoo instant messenger profile" 
    To: "Dano" <dan@thejamzone.com>, <incidents@securityfocus.com>
Date: Wed, 10 Dec 2003 08:53:06 -0000

    > Hello, I came across a strange services.exe file in WinXP and don't know
    > how it got there. This services.exe landed in the root
    > c:\windows\services.exe with a hidden attrib flag set. There was also a
    > registry key set at HKLM/software/microsoft/windows/currentversion/run
    > with the value "services C:\WINDOWS\services.exe -i". What it appeared to
    > do was send data back to hosts dhcp-ve3-101.cable.amis.net
    > (212.18.53.101) and um-sd04-907.uni-mb.si (164.8.15.109). I'm stil in
    > progress of disecting this to find out what exactly it does. Does anyone
    > know anything about this?

    There are serveral worms that install themselves with this name, though
    usually not in that directory.
    The genuine system file of that name lives in C:\WINDOWS\system32, so
    placing it in C:\WINDOWS\ is a good place to hide it.
    I assume your virus scanner came up negative on this file, which means it is
    probably customised trojan.
    The MS dumpbin utility is good for exposing the system calls the exe uses,
    which gives a good idea of what it is trying to do.

    - Tom

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: RODDY, Dan: "yahoo instant messenger profile"