Security Incidents mailing list archives
Re: Strange services.exe file
From: Harlan Carvey <keydet89 () yahoo com>
Date: Wed, 10 Dec 2003 04:33:23 -0800 (PST)
Hello, I came across a strange services.exe file in WinXP and don't know how it got there. This services.exe landed in the root c:\windows\services.exe with a hidden attrib flag set. There was also a registry key set at HKLM/software/microsoft/windows/currentversion/run with the value "services C:\WINDOWS\services.exe -i". What it appeared to do was send data back to hosts dhcp-ve3-101.cable.amis.net (212.18.53.101) and um-sd04-907.uni-mb.si (164.8.15.109).
Did a Google search, or search of A/V sites turn up anything?
I'm stil in progress of disecting this to find out what exactly it does.
Well, a couple of ways to do that would be to run openports.exe, dump the process memory and run strings, and use Dependancy Walker on the executable.
Does anyone know anything about this?
Can you provide a copy of it, zipped up? --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Strange services.exe file Dano (Dec 09)
- Re: Strange services.exe file Harlan Carvey (Dec 10)
- Re: Strange services.exe file Nick FitzGerald (Dec 10)
- Re: Strange services.exe file Tomasz Papszun (Dec 11)
- Re: [mailinglists] Strange services.exe file Tom Wright (Dec 10)
- Re: Strange services.exe file Ansgar -59cobalt- Wiechers (Dec 10)
- Re: Strange services.exe file Nick FitzGerald (Dec 11)
- Re: Strange services.exe file Harlan Carvey (Dec 11)
- Re: Strange services.exe file Harlan Carvey (Dec 11)
- Re: Strange services.exe file Nick FitzGerald (Dec 11)
- <Possible follow-ups>
- RE: Strange services.exe file Josh.Berry (Dec 10)
- RE: Strange services.exe file Harlan Carvey (Dec 11)
- Re: Strange services.exe file jdavison3 (Dec 10)
(Thread continues...)