Security Incidents mailing list archives
Re: Strange services.exe file
From: Harlan Carvey <keydet89 () yahoo com>
Date: Thu, 11 Dec 2003 05:56:08 -0800 (PST)
JD,
SERVICES.EXE is installed on the system by Microsoft.
On all of the XP systems I have access to, this file is installed in %SYSTEMROOT%\system32. The OP stated that the file in question is in the %SYSTEMROOT% directory. The legit version of services.exe on an XP system is launched as a service, and therefore should not be seen in the Run key. Additionally, this file is protected by WFP. It is not a trivial matter to disable WFP necessarily (depends on the skill of the attacker). Therefore, some attempts to simply replace the file in the system32 dir will result in WFP automatically replacing the file. Finally, the '-i' switch...running 'tlist -s' shows the services that services.exe is running: 700 services.exe Svcs: Eventlog,PlugPlay Running 'tlist -c' shows the command line: Command Line: C:\WINDOWS\system32\services.exe In my experience, '-i' is not something one would expect to see as a switch for this particular executable.
It is a process which functions as the service control manager. It also runs a variety of Windows NT user mode functions as threads including server, browsing, event log, and RPC services. The process has had numerous security flaws and has been used by a bunch of worms and trojans.
Really? Can you specify any of them, please?
I would start by examining the event logs and looking at the two IP addresses to see if anything unusual is occuring.
I hope you're not suggesting that someone look for the IP addresses in the EventLogs...
If the computer did not have the latest Microsoft patches then the system is very vulnerable to script attacks using services.exe.
Again, please elaborate...can you give examples of the script attacks using services.exe?
Hope this helps. JDFrom: Dano <dan () thejamzone com> Date: 2003/12/08 Mon PM 05:40:10 EST To: incidents () securityfocus com Subject: Strange services.exe file Hello, I came across a strange services.exe filein WinXP and don't knowhow it got there. This services.exe landed in therootc:\windows\services.exe with a hidden attrib flagset. There was also aregistry key set atHKLM/software/microsoft/windows/currentversion/runwith the value "services C:\WINDOWS\services.exe-i". What it appeared todo was send data back to hostsdhcp-ve3-101.cable.amis.net(212.18.53.101) and um-sd04-907.uni-mb.si(164.8.15.109). I'm stil inprogress of disecting this to find out whatexactly it does. Does anyoneknow anything about this? Thanks Dan
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Strange services.exe file, (continued)
- Re: Strange services.exe file Tomasz Papszun (Dec 11)
- Re: [mailinglists] Strange services.exe file Tom Wright (Dec 10)
- Re: Strange services.exe file Ansgar -59cobalt- Wiechers (Dec 10)
- Re: Strange services.exe file Nick FitzGerald (Dec 11)
- Re: Strange services.exe file Harlan Carvey (Dec 11)
- Re: Strange services.exe file Harlan Carvey (Dec 11)
- Re: Strange services.exe file Nick FitzGerald (Dec 11)
- RE: Strange services.exe file Josh.Berry (Dec 10)
- RE: Strange services.exe file Harlan Carvey (Dec 11)
- Re: Strange services.exe file jdavison3 (Dec 10)
- Re: Strange services.exe file Nick FitzGerald (Dec 11)
- Re: Strange services.exe file Harlan Carvey (Dec 11)