Security Incidents mailing list archives

Re: Strange services.exe file

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Wed, 10 Dec 2003 17:09:30 +0100

On 2003-12-08 Dano wrote:

Hello, I came across a strange services.exe file in WinXP and don't
know how it got there. This services.exe landed in the root
c:\windows\services.exe with a hidden attrib flag set. There was also
a registry key set at HKLM/software/microsoft/windows/currentversion/run
with the value "services C:\WINDOWS\services.exe -i". What it appeared
to do was send data back to hosts dhcp-ve3-101.cable.amis.net
(212.18.53.101) and um-sd04-907.uni-mb.si (164.8.15.109). I'm stil in
progress of disecting this to find out what exactly it does.


Probably the XTC worm (or a mutation of it).

http://vil.nai.com/vil/content/v_98913.htm

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Strange services.exe file Dano (Dec 09)
- Re: Strange services.exe file Harlan Carvey (Dec 10)
- Re: Strange services.exe file Nick FitzGerald (Dec 10)
  - Re: Strange services.exe file Tomasz Papszun (Dec 11)
- Re: [mailinglists] Strange services.exe file Tom Wright (Dec 10)
- Re: Strange services.exe file Ansgar -59cobalt- Wiechers (Dec 10)
  - Re: Strange services.exe file Nick FitzGerald (Dec 11)
    - Re: Strange services.exe file Harlan Carvey (Dec 11)
  - Re: Strange services.exe file Harlan Carvey (Dec 11)
- <Possible follow-ups>
- RE: Strange services.exe file Josh.Berry (Dec 10)
  - RE: Strange services.exe file Harlan Carvey (Dec 11)
- Re: Strange services.exe file jdavison3 (Dec 10)
  - Re: Strange services.exe file Nick FitzGerald (Dec 11)
  - Re: Strange services.exe file Harlan Carvey (Dec 11)