Re: Strange services.exe file

[Nick FitzGerald <nick () virus-l demon co uk>]

<jdavison3 () cox net> wrote:

> SERVICES.EXE is installed on the system by Microsoft.  It is a process
> which functions as the service control manager. It also runs a variety of
> Windows NT user mode functions as threads including server, browsing,
> event log, and RPC services.  ...

Whilst true, this is a bit like answering "chicken" when asked if the 
ocean might be blue.

The .EXE you are talking about is installed in the "system" directory. 
It should _not_ be in the Windows installation directory as the OP 
clearly stated was the case here.  The mystery file also has the hidden 
file attribute set -- another thing we would not expect of the "normal" 
services.exe file.

> ...  The process has had numerous security flaws
> and has been used by a bunch of worms and trojans.  I would start by
> examining the event logs and looking at the two IP addresses to see if
> anything unusual is occuring.  If the computer did not have the latest
> Microsoft patches then the system is very vulnerable to script attacks
> using services.exe.  ...

Whilst the concluding sentence is a reasonable position to hold, it is 
largely not relevant to the foregoing.

> ...  Hope this helps.

Not much.

You see, filenames alone are seldom useful _AND NEVER SUFFICIENT_ for 
diagnosing malware, yet that is what you have tried to do.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


---------------------------------------------------------------------------
----------------------------------------------------------------------------