Re: Strange services.exe file

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 12/11/03

  • Next message: Bassett, Mark: "FW: New Worm or Worm Variant?" 
    Date: Thu, 11 Dec 2003 05:46:29 -0800 (PST)
To: incidents@securityfocus.com

    Ansgar,

    Unfortunately, there seem to be responses to this post
    for every bit of malware that uses the name
    service.exe or services.exe.

    A couple of things come to mind...the first of which
    is, what about the '-i' switch.

    Second, I'm going to assume that the original poster
    (OP) corresponded the executable to the destination IP
    addresses using fport.exe...but it would be nice to
    see more info, like the actual output of fport, as
    well as tlist/pslist/listdlls/handle, etc. Also,
    maybe a copy of the executable (zipped up, of course).

    --- Ansgar -59cobalt- Wiechers
    <bugtraq@planetcobalt.net> wrote:
    > On 2003-12-08 Dano wrote:
    > > Hello, I came across a strange services.exe file
    > in WinXP and don't
    > > know how it got there. This services.exe landed in
    > the root
    > > c:\windows\services.exe with a hidden attrib flag
    > set. There was also
    > > a registry key set at
    > HKLM/software/microsoft/windows/currentversion/run
    > > with the value "services C:\WINDOWS\services.exe
    > -i". What it appeared
    > > to do was send data back to hosts
    > dhcp-ve3-101.cable.amis.net
    > > (212.18.53.101) and um-sd04-907.uni-mb.si
    > (164.8.15.109). I'm stil in
    > > progress of disecting this to find out what
    > exactly it does.
    >
    > Probably the XTC worm (or a mutation of it).
    >
    > http://vil.nai.com/vil/content/v_98913.htm
    >
    > Regards
    > Ansgar Wiechers
    >
    >
    ---------------------------------------------------------------------------
    >
    ----------------------------------------------------------------------------
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Bassett, Mark: "FW: New Worm or Worm Variant?"

    Relevant Pages

    • Re: IE6 wont start, Win2k
      ... to try and get my IE6 back, but it seems the responses are XP specific. ... running Win2k. ... you are infected with malware. ... For quite a few people it's by installing Messenger Plus, whose default install is loaded with malware. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: Google keeps redirecting to other websites
      ... Malware University Bwaaaaaaaaaaahaaaaaa! ... Helpers in Expert Forums are trained in a malware university of sorts and can't ... personnel to make sure the right responses and suggestions are provided. ... So there are many *good* reasons why posting of HJT logs is not allowed on Usenet groups. ...
      (alt.comp.anti-virus)
    • Re: server 2003 - make sure disk is not full or...
      ... Have you done virus and ... malware scan? ... I do not top-post or bottom-post so that my responses are always easy ...
      (microsoft.public.windows.server.general)
    • Re: IE freezes, and wont quit at shutdown
      ... After several days, there've been no responses, which ... leads me to think that there's nothing unusual in the HijackThis report, ... Given the facts that none of the usual diagnosis methods find any malware, ...
      (microsoft.public.windows.inetexplorer.ie6.browser)