Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange services.exe file

From: <jdavison3 () cox net>
Date: Wed, 10 Dec 2003 8:49:33 -0500
SERVICES.EXE is installed on the system by Microsoft.  It is a process which functions as the service control manager. 
It also runs a variety of Windows NT user mode functions as threads including server, browsing, event log, and RPC 
services.  The process has had numerous security flaws and has been used by a bunch of worms and trojans.  I would 
start by examining the event logs and looking at the two IP addresses to see if anything unusual is occuring.  If the 
computer did not have the latest Microsoft patches then the system is very vulnerable to script attacks using 
services.exe.  Hope this helps.

JD


From: Dano <dan () thejamzone com>
Date: 2003/12/08 Mon PM 05:40:10 EST
To: incidents () securityfocus com
Subject: Strange services.exe file

Hello, I came across a strange services.exe file in WinXP and don't know
how it got there. This services.exe landed in the root
c:\windows\services.exe with a hidden attrib flag set. There was also a
registry key set at HKLM/software/microsoft/windows/currentversion/run
with the value "services C:\WINDOWS\services.exe -i". What it appeared to
do was send data back to hosts dhcp-ve3-101.cable.amis.net
(212.18.53.101) and um-sd04-907.uni-mb.si (164.8.15.109). I'm stil in
progress of disecting this to find out what exactly it does. Does anyone
know anything about this?
 
Thanks
Dan
 


---------------------------------------------------------------------------
----------------------------------------------------------------------------





---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: