Re: Strange services.exe file

[Harlan Carvey <keydet89 () yahoo com>]

JD,

> SERVICES.EXE is installed on the system by
> Microsoft.  

On all of the XP systems I have access to, this file
is installed in %SYSTEMROOT%\system32.  The OP stated
that the file in question is in the %SYSTEMROOT%
directory.

The legit version of services.exe on an XP system is
launched as a service, and therefore should not be
seen in the Run key.

Additionally, this file is protected by WFP.  It is
not a trivial matter to disable WFP necessarily
(depends on the skill of the attacker).  Therefore,
some attempts to simply replace the file in the
system32 dir will result in WFP automatically
replacing the file.

Finally, the '-i' switch...running 'tlist -s' shows
the services that services.exe is running:

 700 services.exe    Svcs:  Eventlog,PlugPlay

Running 'tlist -c' shows the command line:

 Command Line: C:\WINDOWS\system32\services.exe

In my experience, '-i' is not something one would
expect to see as a switch for this particular
executable.

> It is a process which functions as the
> service control manager. It also runs a variety of
> Windows NT user mode functions as threads including
> server, browsing, event log, and RPC services.  The
> process has had numerous security flaws and has been
> used by a bunch of worms and trojans.  

Really?  Can you specify any of them, please?

> I would start
> by examining the event logs and looking at the two
> IP addresses to see if anything unusual is occuring.

I hope you're not suggesting that someone look for the
IP addresses in the EventLogs...

>  If the computer did not have the latest Microsoft
> patches then the system is very vulnerable to script
> attacks using services.exe.  

Again, please elaborate...can you give examples of the
script attacks using services.exe?

> Hope this helps.
>
> JD
>
> > From: Dano <dan () thejamzone com>
> > Date: 2003/12/08 Mon PM 05:40:10 EST
> > To: incidents () securityfocus com
> > Subject: Strange services.exe file
> >
> > Hello, I came across a strange services.exe file
> in WinXP and don't know
> > how it got there. This services.exe landed in the
> root
> > c:\windows\services.exe with a hidden attrib flag
> set. There was also a
> > registry key set at
> HKLM/software/microsoft/windows/currentversion/run
> > with the value "services C:\WINDOWS\services.exe
> -i". What it appeared to
> > do was send data back to hosts
> dhcp-ve3-101.cable.amis.net
> > (212.18.53.101) and um-sd04-907.uni-mb.si
> (164.8.15.109). I'm stil in
> > progress of disecting this to find out what
> exactly it does. Does anyone
> > know anything about this?
> >  
> > Thanks
> > Dan
> >  
---------------------------------------------------------------------------
> >
----------------------------------------------------------------------------
> >
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------