RE: Strange services.exe file

[Harlan Carvey <keydet89 () yahoo com>]

I'd also recommend openports.exe from DiamondCS...it's
a bit more comprehensive than fport, AND it doesn't
require an admin account to run.


--- Josh.Berry () compucom com wrote:
> I have seen lots of Trojans that are named
> services.exe.  Many of the
> have been different variations of Serve-U FTP
> server.  I use fport from
> foundstone to see what ports the executable is
> listening on and what
> servers/ports it is connecting to.
>
> -----Original Message-----
> From: Dano [mailto:dan () thejamzone com] 
> Sent: Monday, December 08, 2003 4:40 PM
> To: incidents () securityfocus com
> Subject: Strange services.exe file
>
> Hello, I came across a strange services.exe file in
> WinXP and don't know
> how it got there. This services.exe landed in the
> root
> c:\windows\services.exe with a hidden attrib flag
> set. There was also a
> registry key set at
> HKLM/software/microsoft/windows/currentversion/run
> with the value "services C:\WINDOWS\services.exe
> -i". What it appeared
> to
> do was send data back to hosts
> dhcp-ve3-101.cable.amis.net
> (212.18.53.101) and um-sd04-907.uni-mb.si
> (164.8.15.109). I'm stil in
> progress of disecting this to find out what exactly
> it does. Does anyone
> know anything about this?
>  
> Thanks
> Dan
>  
------------------------------------------------------------------------
> ---
------------------------------------------------------------------------
> ----
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------