Security Incidents mailing list archives

Re: Strange services.exe file

From: Tomasz Papszun <tomek-incid () lodz tpsa pl>
Date: Thu, 11 Dec 2003 13:07:23 +0100

On Thu, 11 Dec 2003 at  0:28:40 +1300, Nick FitzGerald wrote:

Dano <dan () thejamzone com> wrote:

Hello, I came across a strange services.exe file in WinXP and don't know
how it got there. This services.exe landed in the root
c:\windows\services.exe with a hidden attrib flag set. There was also a
registry key set at HKLM/software/microsoft/windows/currentversion/run
with the value "services C:\WINDOWS\services.exe -i". What it appeared to
do was send data back to hosts dhcp-ve3-101.cable.amis.net
(212.18.53.101) and um-sd04-907.uni-mb.si (164.8.15.109). I'm stil in
progress of disecting this to find out what exactly it does. Does anyone
know anything about this?


Please send a copy of it to some reverse engineering experts -- perhaps 
folk who make a living doing such stuff such as the malware analysts at 
the large antivirus companies.  I have included my standard list of 
suspicious file submission addresses to save you having to dig them out 
for yourself -- please send the file to several of these that you trust 
to do the right thing...

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Hello, Nick.

Seems that you forgot to actually include that list of addresses :-) .

In case you haven't got the Clam AntiVirus (ClamAV) submission address
yet, here you are:

http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi

We ask everyone who has viruses / suspicious files to submit them at the
above URL.
We will be grateful if you verify _before_ you submit, that a virus
isn't yet detected by ClamAV (to save our time spent on needless
submissions).
The link to "ClamAV online specimen scanner" is at the same URL.

  "Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose
   of this software is the integration with mail servers (attachment
   scanning)."                            http://clamav.sourceforge.net/

Regards
-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 tomek () lodz tpsa pl   http://www.lodz.tpsa.pl/   | ones and zeros.
 tomek () clamav net   http://www.ClamAV.net/   A GPL virus scanner

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Strange services.exe file Dano (Dec 09)
- Re: Strange services.exe file Harlan Carvey (Dec 10)
- Re: Strange services.exe file Nick FitzGerald (Dec 10)
  - Re: Strange services.exe file Tomasz Papszun (Dec 11)
- Re: [mailinglists] Strange services.exe file Tom Wright (Dec 10)
- Re: Strange services.exe file Ansgar -59cobalt- Wiechers (Dec 10)
  - Re: Strange services.exe file Nick FitzGerald (Dec 11)
    - Re: Strange services.exe file Harlan Carvey (Dec 11)
  - Re: Strange services.exe file Harlan Carvey (Dec 11)
- <Possible follow-ups>
- RE: Strange services.exe file Josh.Berry (Dec 10)
  - RE: Strange services.exe file Harlan Carvey (Dec 11)
- Re: Strange services.exe file jdavison3 (Dec 10)
  - Re: Strange services.exe file Nick FitzGerald (Dec 11)
  - Re: Strange services.exe file Harlan Carvey (Dec 11)