Re: Strange services.exe file

From: Tomasz Papszun (
Date: 12/11/03

  • Next message: Harlan Carvey: "RE: Strange services.exe file"
    Date: Thu, 11 Dec 2003 13:07:23 +0100

    On Thu, 11 Dec 2003 at 0:28:40 +1300, Nick FitzGerald wrote:
    > Dano <> wrote:
    > > Hello, I came across a strange services.exe file in WinXP and don't know
    > > how it got there. This services.exe landed in the root
    > > c:\windows\services.exe with a hidden attrib flag set. There was also a
    > > registry key set at HKLM/software/microsoft/windows/currentversion/run
    > > with the value "services C:\WINDOWS\services.exe -i". What it appeared to
    > > do was send data back to hosts
    > > ( and ( I'm stil in
    > > progress of disecting this to find out what exactly it does. Does anyone
    > > know anything about this?
    > Please send a copy of it to some reverse engineering experts -- perhaps
    > folk who make a living doing such stuff such as the malware analysts at
    > the large antivirus companies. I have included my standard list of
    > suspicious file submission addresses to save you having to dig them out
    > for yourself -- please send the file to several of these that you trust
    > to do the right thing...
    > --
    > Nick FitzGerald
    > Computer Virus Consulting Ltd.
    > Ph/FAX: +64 3 3529854

    Hello, Nick.

    Seems that you forgot to actually include that list of addresses :-) .

    In case you haven't got the Clam AntiVirus (ClamAV) submission address
    yet, here you are:

    We ask everyone who has viruses / suspicious files to submit them at the
    above URL.
    We will be grateful if you verify _before_ you submit, that a virus
    isn't yet detected by ClamAV (to save our time spent on needless
    The link to "ClamAV online specimen scanner" is at the same URL.

      "Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose
       of this software is the integration with mail servers (attachment


     Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only   | ones and zeros.   A GPL virus scanner

  • Next message: Harlan Carvey: "RE: Strange services.exe file"

    Relevant Pages