Re: Strange services.exe file

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 12/11/03

Next message: Harlan Carvey: "Re: New Worm or Worm Variant?"

Previous message: Ansgar -59cobalt- Wiechers: "Re: Strange services.exe file"
In reply to: jdavison3_at_cox.net: "Re: Strange services.exe file"
Next in thread: Harlan Carvey: "Re: Strange services.exe file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 11 Dec 2003 18:32:22 +1300
To: incidents@securityfocus.com

<jdavison3@cox.net> wrote:

> SERVICES.EXE is installed on the system by Microsoft. It is a process
> which functions as the service control manager. It also runs a variety of
> Windows NT user mode functions as threads including server, browsing,
> event log, and RPC services. ...

Whilst true, this is a bit like answering "chicken" when asked if the
ocean might be blue.

The .EXE you are talking about is installed in the "system" directory.
It should _not_ be in the Windows installation directory as the OP
clearly stated was the case here. The mystery file also has the hidden
file attribute set -- another thing we would not expect of the "normal"
services.exe file.

> ... The process has had numerous security flaws
> and has been used by a bunch of worms and trojans. I would start by
> examining the event logs and looking at the two IP addresses to see if
> anything unusual is occuring. If the computer did not have the latest
> Microsoft patches then the system is very vulnerable to script attacks
> using services.exe. ...

Whilst the concluding sentence is a reasonable position to hold, it is
largely not relevant to the foregoing.

> ... Hope this helps.

Not much.

You see, filenames alone are seldom useful _AND NEVER SUFFICIENT_ for
diagnosing malware, yet that is what you have tried to do.

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Harlan Carvey: "Re: New Worm or Worm Variant?"

Previous message: Ansgar -59cobalt- Wiechers: "Re: Strange services.exe file"
In reply to: jdavison3_at_cox.net: "Re: Strange services.exe file"
Next in thread: Harlan Carvey: "Re: Strange services.exe file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Boot up problem... with a difference
... Does the computer boot into safe mode without any problems? ... Event Source: Service Control Manager ... Windows cannot unload your classes registry file - it is still in ...
(microsoft.public.windowsxp.help_and_support)
Re: Generic Host Process for Win 32 Services nightmare
... Windows Management Instrumentation to Automatic Make sure all three services ... Event Type: Error ... Event Source: Application Error ... Event Source: Service Control Manager ...
(microsoft.public.windowsxp.help_and_support)
Re: Explorer slow to find drives after Cameras installed
... Event Type: Error ... Event Source: Service Control Manager ... The Windows Image Acquisition service terminated unexpectedly. ...
(microsoft.public.windowsxp.help_and_support)
Re: Help & Support & System Restore
... Does System Restore work when you follow tmy suggestion. ... Event Source: Service Control Manager ... You can access Event Viewer by selecting Start, Control Panel, ... View and Manage Event Logs in Event Viewer in Windows XP ...
(microsoft.public.windowsxp.help_and_support)
Re: Help & Support & System Restore
... Does System Restore work when you follow tmy suggestion. ... Event Source: Service Control Manager ... You can access Event Viewer by selecting Start, Control Panel, ... View and Manage Event Logs in Event Viewer in Windows XP ...
(microsoft.public.windowsxp.help_and_support)