Re: Strange services.exe file

jdavison3_at_cox.net
Date: 12/10/03

  • Next message: jcanaves_at_ucsd.edu: "Re: Strange SNMP probes suddenly appearing" 
    To: Dano <dan@thejamzone.com>, incidents@securityfocus.com
Date: Wed, 10 Dec 2003 8:49:33 -0500

    SERVICES.EXE is installed on the system by Microsoft. It is a process which functions as the service control manager. It also runs a variety of Windows NT user mode functions as threads including server, browsing, event log, and RPC services. The process has had numerous security flaws and has been used by a bunch of worms and trojans. I would start by examining the event logs and looking at the two IP addresses to see if anything unusual is occuring. If the computer did not have the latest Microsoft patches then the system is very vulnerable to script attacks using services.exe. Hope this helps.

    JD

    > From: Dano <dan@thejamzone.com>
    > Date: 2003/12/08 Mon PM 05:40:10 EST
    > To: incidents@securityfocus.com
    > Subject: Strange services.exe file
    >
    > Hello, I came across a strange services.exe file in WinXP and don't know
    > how it got there. This services.exe landed in the root
    > c:\windows\services.exe with a hidden attrib flag set. There was also a
    > registry key set at HKLM/software/microsoft/windows/currentversion/run
    > with the value "services C:\WINDOWS\services.exe -i". What it appeared to
    > do was send data back to hosts dhcp-ve3-101.cable.amis.net
    > (212.18.53.101) and um-sd04-907.uni-mb.si (164.8.15.109). I'm stil in
    > progress of disecting this to find out what exactly it does. Does anyone
    > know anything about this?
    >
    > Thanks
    > Dan
    >
    >
    >
    > ---------------------------------------------------------------------------
    > ----------------------------------------------------------------------------
    >
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: jcanaves_at_ucsd.edu: "Re: Strange SNMP probes suddenly appearing"

    Relevant Pages

    • Re: WMP Library acting funny
      ... > My Windows Media Player 10's, yes I have WinXP, Library is acting a little ... > strange. ... I can add files from My Music folder but a couple of files that ...
      (microsoft.public.windowsxp.music)
    • Re: are there some special about x1a symbol
      ... into a file a string with the '\x1a' symbol, and for FreeBSD system, it ... but for my WinXP box, it gives some strange: ...
      (comp.lang.python)
    • WMP Library acting funny
      ... My Windows Media Player 10's, yes I have WinXP, Library is acting a little ... strange. ... I can add files from My Music folder but a couple of files that ...
      (microsoft.public.windowsxp.music)
    • Re: Strange services.exe file
      ... On 2003-12-08 Dano wrote: ... I came across a strange services.exe file in WinXP and don't ... Ansgar Wiechers ...
      (Incidents)
    • Runtime error 2046
      ... I am using Access 2000 on WinXP. ... Something strange on my database.... ... When I click debug, the code has stopped at this line: ... Prev by Date: ...
      (microsoft.public.access.formscoding)