Re: Strange services.exe file
From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 12/10/03
- Previous message: jcanaves_at_ucsd.edu: "Re: Strange SNMP probes suddenly appearing"
- In reply to: Dano: "Strange services.exe file"
- Next in thread: Nick FitzGerald: "Re: Strange services.exe file"
- Reply: Nick FitzGerald: "Re: Strange services.exe file"
- Reply: Harlan Carvey: "Re: Strange services.exe file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 10 Dec 2003 17:09:30 +0100 To: incidents@securityfocus.com
On 2003-12-08 Dano wrote:
> Hello, I came across a strange services.exe file in WinXP and don't
> know how it got there. This services.exe landed in the root
> c:\windows\services.exe with a hidden attrib flag set. There was also
> a registry key set at HKLM/software/microsoft/windows/currentversion/run
> with the value "services C:\WINDOWS\services.exe -i". What it appeared
> to do was send data back to hosts dhcp-ve3-101.cable.amis.net
> (212.18.53.101) and um-sd04-907.uni-mb.si (164.8.15.109). I'm stil in
> progress of disecting this to find out what exactly it does.
Probably the XTC worm (or a mutation of it).
http://vil.nai.com/vil/content/v_98913.htm
Regards
Ansgar Wiechers
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: jcanaves_at_ucsd.edu: "Re: Strange SNMP probes suddenly appearing"
- In reply to: Dano: "Strange services.exe file"
- Next in thread: Nick FitzGerald: "Re: Strange services.exe file"
- Reply: Nick FitzGerald: "Re: Strange services.exe file"
- Reply: Harlan Carvey: "Re: Strange services.exe file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
