Re: exe programs

From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 07/24/05


Date: Sun, 24 Jul 2005 10:17:14 +0200

Hi,

On Windows XP most critical files are digitally signed by Microsoft
(unfortunately not all (yet)).

To check the digital signatures run

sigverif

Once the sigverif finishes check out the file SIGVERIF.TXT and look for a
files that you mention in your question (e.g. mqsvc.exe, spoolsv.exe
etc...).

In SIGVERIF.TXT file you should see something like...

********************************

Microsoft Signature Verification

Log file generated on 24.7.2005 at 9:59
OS Platform: Windows 2000 (x86), Version: 5.1, Build: 2600, CSDVersion:
Service Pack 2
Scan Results: Total Files: 3518, Signed: 2520, Unsigned: 54, Not Scanned:
944

File Modified Version Status
Catalog Signed By
------------------ ------------ ----------- ------------
  ----------- -------------------
spoolsv.exe 4.8.2004 2:5.1 Signed
sp2.cat Microsoft Windows
dumprep.exe 4.8.2004 2:5.1 Signed
sp2.cat Microsoft Windows

etc...

If Status is Signed then the file originates from Microsoft and wasn't
modified after release from Microsoft.

Note:
* before you remove any unsigned files -- do some research...
* if you have mqsvc.exe file in e.g. c:\windows\system32 trojan will not be
able to put it in this folder. So another sign of something strange going on
the computer is e.g. "mqsvc.exe"file (that is not digitally signed) and is
located outside Windows folder.
* you can prevent most infection with trojans and spyware etc. if you use
your computer as non-admin. Most trojans and spyware need write access to
registry and Windows folder -- and non-admins don't have these permissions.
Infection in this case will fail or at least won't be permanent (it will
only be persistent till reboot)...

-- 
Mike
Microsoft MVP - Windows Security
"worried by exe" <worried by exe@discussions.microsoft.com> wrote in message 
news:6D918F62-032F-470E-BE47-B0ACFC0C6958@microsoft.com...
>I HAVE UPGRADED FROM WINDOWS 98 SE TO WINDOWS XP PRO SPACK2.
> I HAVE NOTICED WITH XP  A NUMBER OF EXE PROGRAMS THAT I DID NOT SEE BEFORE
> UNDER WIN 98.
> THESE APPEAR ON MY FIREWALL PROGRAM  ZONEALARM.
> I HAVE CHECKED THESE OUT AND ALTHOUGH ADVICE IS THAT WINDOWS HAVE PROGRAMS
> WITH THESE NAMES, SO DO TROJANS. THEY WARN TO BLOCK/DELETE.
> ARE THESE WINDOWS PROGRAMS OR NOT/?. HOW CAN I TELL?.
> EXAMPLE...mqsvc.exe   spoolsv.exe    dumprep.exe
> IN THE MEAN TIME I HAVE BLOCKED, BUT DO NOT KNOW IF THEY ARE OR WILL STOP
> WINDOWS FROM OPERATING NORMALLY.
> PLEASE ADVISE ME.
>
> 


Relevant Pages

  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #49
    ... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #153
    ... MICROSOFT VULNERABILITY SUMMARY ... ZoneAlarm Random UDP Flood Denial Of Service Vulnerability ... FloosieTek FTGatePro Mail Server Path Disclosure Vulnerabili... ... Microsoft Windows NetBIOS Name Service Reply Information Lea... ...
    (Focus-Microsoft)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)
  • Re: HasLayout
    ... hard drive is the Internet and the Internet is your hard drive? ... Microsoft Developer Network ... Windows Driver Kit ... Speech via the Microsoft Voice Text Object ...
    (comp.infosystems)