Re: Strange services.exe file

From: Tomasz Papszun (tomek-incid_at_lodz.tpsa.pl)
Date: 12/11/03

  • Next message: Harlan Carvey: "RE: Strange services.exe file"
    Date: Thu, 11 Dec 2003 13:07:23 +0100
    To: incidents@securityfocus.com
    
    

    On Thu, 11 Dec 2003 at 0:28:40 +1300, Nick FitzGerald wrote:
    > Dano <dan@thejamzone.com> wrote:
    >
    > > Hello, I came across a strange services.exe file in WinXP and don't know
    > > how it got there. This services.exe landed in the root
    > > c:\windows\services.exe with a hidden attrib flag set. There was also a
    > > registry key set at HKLM/software/microsoft/windows/currentversion/run
    > > with the value "services C:\WINDOWS\services.exe -i". What it appeared to
    > > do was send data back to hosts dhcp-ve3-101.cable.amis.net
    > > (212.18.53.101) and um-sd04-907.uni-mb.si (164.8.15.109). I'm stil in
    > > progress of disecting this to find out what exactly it does. Does anyone
    > > know anything about this?
    >
    > Please send a copy of it to some reverse engineering experts -- perhaps
    > folk who make a living doing such stuff such as the malware analysts at
    > the large antivirus companies. I have included my standard list of
    > suspicious file submission addresses to save you having to dig them out
    > for yourself -- please send the file to several of these that you trust
    > to do the right thing...
    >
    > --
    > Nick FitzGerald
    > Computer Virus Consulting Ltd.
    > Ph/FAX: +64 3 3529854

    Hello, Nick.

    Seems that you forgot to actually include that list of addresses :-) .

    In case you haven't got the Clam AntiVirus (ClamAV) submission address
    yet, here you are:

    http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi

    We ask everyone who has viruses / suspicious files to submit them at the
    above URL.
    We will be grateful if you verify _before_ you submit, that a virus
    isn't yet detected by ClamAV (to save our time spent on needless
    submissions).
    The link to "ClamAV online specimen scanner" is at the same URL.

      "Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose
       of this software is the integration with mail servers (attachment
       scanning)." http://clamav.sourceforge.net/

    Regards

    -- 
     Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
     tomek@lodz.tpsa.pl   http://www.lodz.tpsa.pl/   | ones and zeros.
     tomek@clamav.net   http://www.ClamAV.net/   A GPL virus scanner
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Harlan Carvey: "RE: Strange services.exe file"

    Relevant Pages