Re: Strange services.exe file

From: Tomasz Papszun (tomek-incid_at_lodz.tpsa.pl)
Date: 12/11/03

Next message: Harlan Carvey: "RE: Strange services.exe file"

Previous message: dano: "Fw: services.exe file"
In reply to: Nick FitzGerald: "Re: Strange services.exe file"
Next in thread: Tom Wright: "Re: [mailinglists] Strange services.exe file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 11 Dec 2003 13:07:23 +0100
To: incidents@securityfocus.com

On Thu, 11 Dec 2003 at 0:28:40 +1300, Nick FitzGerald wrote:
> Dano <dan@thejamzone.com> wrote:
>
> > Hello, I came across a strange services.exe file in WinXP and don't know
> > how it got there. This services.exe landed in the root
> > c:\windows\services.exe with a hidden attrib flag set. There was also a
> > registry key set at HKLM/software/microsoft/windows/currentversion/run
> > with the value "services C:\WINDOWS\services.exe -i". What it appeared to
> > do was send data back to hosts dhcp-ve3-101.cable.amis.net
> > (212.18.53.101) and um-sd04-907.uni-mb.si (164.8.15.109). I'm stil in
> > progress of disecting this to find out what exactly it does. Does anyone
> > know anything about this?
>
> Please send a copy of it to some reverse engineering experts -- perhaps
> folk who make a living doing such stuff such as the malware analysts at
> the large antivirus companies. I have included my standard list of
> suspicious file submission addresses to save you having to dig them out
> for yourself -- please send the file to several of these that you trust
> to do the right thing...
>
> --
> Nick FitzGerald
> Computer Virus Consulting Ltd.
> Ph/FAX: +64 3 3529854

Hello, Nick.

Seems that you forgot to actually include that list of addresses :-) .

In case you haven't got the Clam AntiVirus (ClamAV) submission address
yet, here you are:

http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi

We ask everyone who has viruses / suspicious files to submit them at the
above URL.
We will be grateful if you verify _before_ you submit, that a virus
isn't yet detected by ClamAV (to save our time spent on needless
submissions).
The link to "ClamAV online specimen scanner" is at the same URL.

  "Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose
   of this software is the integration with mail servers (attachment
   scanning)." http://clamav.sourceforge.net/

Regards

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 tomek@lodz.tpsa.pl   http://www.lodz.tpsa.pl/   | ones and zeros.
 tomek@clamav.net   http://www.ClamAV.net/   A GPL virus scanner
---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Harlan Carvey: "RE: Strange services.exe file"

Previous message: dano: "Fw: services.exe file"
In reply to: Nick FitzGerald: "Re: Strange services.exe file"
Next in thread: Tom Wright: "Re: [mailinglists] Strange services.exe file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]