Re: Strange services.exe file

[Harlan Carvey <keydet89 () yahoo com>]

Ansgar,

Unfortunately, there seem to be responses to this post
for every bit of malware that uses the name
service.exe or services.exe.  

A couple of things come to mind...the first of which
is, what about the '-i' switch. 

Second, I'm going to assume that the original poster
(OP) corresponded the executable to the destination IP
addresses using fport.exe...but it would be nice to
see more info, like the actual output of fport, as
well as tlist/pslist/listdlls/handle, etc.  Also,
maybe a copy of the executable (zipped up, of course).

--- Ansgar -59cobalt- Wiechers
<bugtraq () planetcobalt net> wrote:
> On 2003-12-08 Dano wrote:
> > Hello, I came across a strange services.exe file
> in WinXP and don't
> > know how it got there. This services.exe landed in
> the root
> > c:\windows\services.exe with a hidden attrib flag
> set. There was also
> > a registry key set at
> HKLM/software/microsoft/windows/currentversion/run
> > with the value "services C:\WINDOWS\services.exe
> -i". What it appeared
> > to do was send data back to hosts
> dhcp-ve3-101.cable.amis.net
> > (212.18.53.101) and um-sd04-907.uni-mb.si
> (164.8.15.109). I'm stil in
> > progress of disecting this to find out what
> exactly it does.
>
> Probably the XTC worm (or a mutation of it).
>
> http://vil.nai.com/vil/content/v_98913.htm
>
> Regards
> Ansgar Wiechers
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------