Re: Strange services.exe file

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 12/11/03

  • Next message: dano: "Fw: services.exe file" 
    Date: Thu, 11 Dec 2003 05:56:08 -0800 (PST)
To: incidents@securityfocus.com

    JD,

    > SERVICES.EXE is installed on the system by
    > Microsoft.

    On all of the XP systems I have access to, this file
    is installed in %SYSTEMROOT%\system32. The OP stated
    that the file in question is in the %SYSTEMROOT%
    directory.

    The legit version of services.exe on an XP system is
    launched as a service, and therefore should not be
    seen in the Run key.

    Additionally, this file is protected by WFP. It is
    not a trivial matter to disable WFP necessarily
    (depends on the skill of the attacker). Therefore,
    some attempts to simply replace the file in the
    system32 dir will result in WFP automatically
    replacing the file.

    Finally, the '-i' switch...running 'tlist -s' shows
    the services that services.exe is running:

     700 services.exe Svcs: Eventlog,PlugPlay

    Running 'tlist -c' shows the command line:

     Command Line: C:\WINDOWS\system32\services.exe

    In my experience, '-i' is not something one would
    expect to see as a switch for this particular
    executable.

    > It is a process which functions as the
    > service control manager. It also runs a variety of
    > Windows NT user mode functions as threads including
    > server, browsing, event log, and RPC services. The
    > process has had numerous security flaws and has been
    > used by a bunch of worms and trojans.

    Really? Can you specify any of them, please?

    > I would start
    > by examining the event logs and looking at the two
    > IP addresses to see if anything unusual is occuring.

    I hope you're not suggesting that someone look for the
    IP addresses in the EventLogs...

    > If the computer did not have the latest Microsoft
    > patches then the system is very vulnerable to script
    > attacks using services.exe.

    Again, please elaborate...can you give examples of the
    script attacks using services.exe?

    >Hope this helps.
    >
    > JD
    >
    > > From: Dano <dan@thejamzone.com>
    > > Date: 2003/12/08 Mon PM 05:40:10 EST
    > > To: incidents@securityfocus.com
    > > Subject: Strange services.exe file
    > >
    > > Hello, I came across a strange services.exe file
    > in WinXP and don't know
    > > how it got there. This services.exe landed in the
    > root
    > > c:\windows\services.exe with a hidden attrib flag
    > set. There was also a
    > > registry key set at
    > HKLM/software/microsoft/windows/currentversion/run
    > > with the value "services C:\WINDOWS\services.exe
    > -i". What it appeared to
    > > do was send data back to hosts
    > dhcp-ve3-101.cable.amis.net
    > > (212.18.53.101) and um-sd04-907.uni-mb.si
    > (164.8.15.109). I'm stil in
    > > progress of disecting this to find out what
    > exactly it does. Does anyone
    > > know anything about this?
    > >
    > > Thanks
    > > Dan
    > >
    > >
    > >
    > >
    >
    ---------------------------------------------------------------------------
    > >
    >
    ----------------------------------------------------------------------------
    > >
    > >
    >
    >
    >
    ---------------------------------------------------------------------------
    >
    ----------------------------------------------------------------------------
    >

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: dano: "Fw: services.exe file"