Security Basics mailing list archives

Re: Unknown Windows Service suspected Worm/Virus

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Sat, 11 Sep 2004 04:29:27 +0200

On 2004-09-09 Neil Verkland wrote:

English WindowsXP install with SP2 and Windows Services for Unix
installed
Unknown Windows service recognized in Services MMC:
"Servicio de Agenda de Alejandria". Mysterious reboot while using the
system. It is unclear weather this service is related to the problem or
not. AVG and Housecall and McAfee Enterprise didn't find anything. 
Spybot and Ad-aware Personal didn't find anything.

Progress:
Thanks to one listener who tried to translate: "Service for the Agenda
of Alexandra".

Thanks to many listeners who identified the command line method for
shutting down windows services:
net stop <service name>

No light has been shed on the ID of this particular windows service
yet.


Just a few notes on this:

- What is the command-line that starts the service (in the service's
  properties in services.msc)
- Is the binary present? Where?
- What does the properties dialog of the binary tell?
- Have you run strings [1] against the binary?
- Does the suspicious service open any ports?
- Is there anything unusual in the eventlog?

HTH

[1] http://www.sysinternals.com/ntw2k/source/misc.shtml#strings

Regards
Ansgar Wiechers
-- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------

Current thread:

Unknown Windows Service suspected Worm/Virus Neil Verkland (Sep 08)
- Re: Unknown Windows Service suspected Worm/Virus Über GuidoZ (Sep 11)
- <Possible follow-ups>
- RE: Unknown Windows Service suspected Worm/Virus Neil Verkland (Sep 10)
  - Re: Unknown Windows Service suspected Worm/Virus Ansgar -59cobalt- Wiechers (Sep 13)
  - Re: Unknown Windows Service suspected Worm/Virus Über GuidoZ (Sep 13)
- RE: Unknown Windows Service suspected Worm/Virus Hayden Searle (Sep 10)
- RE: Unknown Windows Service suspected Worm/Virus Prasanna M (Sep 13)