RE: Unknown Windows Service suspected Worm/Virus

From: Hayden Searle (hayden.searle_at_safecom.co.nz)
Date: 09/09/04

  • Next message: Sadler, Connie: "RE: Password Cracking"
    Date: Fri, 10 Sep 2004 00:32:56 +1200
    To: "Neil Verkland" <VerklandN@macewan.ca>, <security-basics@securityfocus.com>
    
    

    The command for stopping a service is net stop <service name>

    I have no idea what the service is, but maybe a scrape of the registry
    looking for it would be a good start to see where it is? Also look and
    see if it is in the 'run' folder in the registry and export and then
    delete the key, restart the box and it shouldn't start anymore.

    If it is in the services MMC then have a look at the executable it
    relates to as this may give more clues for a google search.

    Regards

    Hayden Searle
    Network Security Specialist

    -----Original Message-----
    From: Neil Verkland [mailto:VerklandN@macewan.ca]
    Sent: Thursday, 9 September 2004 8:31 a.m.
    To: security-basics@securityfocus.com
    Subject: Unknown Windows Service suspected Worm/Virus

    I'm looking for information on the following windows XP service that was
    found installed on various systems that have XP-SP2 installed and have
    been virus scanned as clean.

    Servicio de Agenda de Alejandria

    If anyone can identify this windows service please respond. Systems
    with this service seem to reboot automagically and terminal services is
    started and I am unable to stop the service via the control panel.
    Please also respond with the command line to stop a service. My windows
    skill are not as prolific as Solaris. Thanks.

    Neil S. Verkland, B.Sc.C.S.
    Manager, Learning and Information Systems
    Grant MacEwan College

    ------------------------------------------------------------------------

    ---
    Computer Forensics Training at the InfoSec Institute. All of our class
    sizes
    are guaranteed to be 12 students or less to facilitate one-on-one
    interaction with one of our expert instructors. Gain the in-demand
    skills of
    a certified computer examiner, learn to recover trace data left behind
    by
    fraud, theft, and cybercrime perpetrators. Discover the source of
    computer
    crime and abuse so that it never happens again.
    http://www.infosecinstitute.com/courses/computer_forensics_training.html
    ------------------------------------------------------------------------
    ----
    #####################################################################################
    Important: This electronic message and attachments (if any) are confidential
    and may be legally privileged. If you are not the intended recipient do not
    copy, disclose or use the contents in any way. Please let us know by return
    e-mail immediately and then destroy this message.
    #####################################################################################
    ---------------------------------------------------------------------------
    Computer Forensics Training at the InfoSec Institute. All of our class sizes
    are guaranteed to be 12 students or less to facilitate one-on-one
    interaction with one of our expert instructors. Gain the in-demand skills of
    a certified computer examiner, learn to recover trace data left behind by
    fraud, theft, and cybercrime perpetrators. Discover the source of computer
    crime and abuse so that it never happens again.
    http://www.infosecinstitute.com/courses/computer_forensics_training.html
    ----------------------------------------------------------------------------
    

  • Next message: Sadler, Connie: "RE: Password Cracking"

    Relevant Pages

    • Re: Problem with file execution from a windows service
      ... I just inserted the following and nothing was written to the event log: ... >>I have tested the code in the Windows service inside normal Windows forms ... It executes the file no problem. ... >>writes some general info about what has just happened to the registry. ...
      (microsoft.public.dotnet.languages.vb)
    • Re: Registry key cannot write..
      ... which would indicate it's actually a Web Service you're ... For a windows service, make sure it's running as local admin, or that the ... user it is running as has rights to edit the registry. ... > Cannot write to the registry key. ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Cannot run a command process from a Windows Service
      ... will consider an alternative to the Windows service. ... I am trying to run a command, which I would normally run from ... Note that you need to create a logon session for the ... load user profile and environment before creating the child process ...
      (microsoft.public.dotnet.languages.csharp)
    • "Simple" setup behavior for Registry Value setting
      ... I am trying to package a simple Windows Service I've built using Visual ... user during install. ... and have the registry page setup to insert the value. ... even though I have the DeleteAtUninstall property ...
      (microsoft.public.dotnet.framework.setup)
    • Problem with file execution from a windows service
      ... the registry called Execution_Time it is supposed to execute a visual basic ... I have tested the code in the Windows service inside normal Windows forms ... in the vb exe file does not seem to do its stuff - it should query an access ... Protected Overrides Sub OnStartAs String) ...
      (microsoft.public.dotnet.languages.vb)