Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: Unknown Windows Service suspected Worm/Virus
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: Unknown Windows Service suspected Worm/Virus
  • From: Ansgar -59cobalt- Wiechers <[EMAIL PROTECTED]>
  • Date: Sat, 11 Sep 2004 04:29:27 +0200
  • In-reply-to: <[EMAIL PROTECTED]>; from [EMAIL PROTECTED] on Thu, Sep 09, 2004 at 10:08:40AM -0600
  • Mail-followup-to: [EMAIL PROTECTED]
  • References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
.
 
On 2004-09-09 Neil Verkland wrote:
> English WindowsXP install with SP2 and Windows Services for Unix
> installed
> Unknown Windows service recognized in Services MMC:
> "Servicio de Agenda de Alejandria". Mysterious reboot while using the
> system. It is unclear weather this service is related to the problem or
> not. AVG and Housecall and McAfee Enterprise didn't find anything. 
> Spybot and Ad-aware Personal didn't find anything.
> 
> Progress:
> Thanks to one listener who tried to translate: "Service for the Agenda
> of Alexandra".
> 
> Thanks to many listeners who identified the command line method for
> shutting down windows services:
> net stop <service name>
> 
> No light has been shed on the ID of this particular windows service
> yet.

Just a few notes on this:

- What is the command-line that starts the service (in the service's
  properties in services.msc)
- Is the binary present? Where?
- What does the properties dialog of the binary tell?
- Have you run strings [1] against the binary?
- Does the suspicious service open any ports?
- Is there anything unusual in the eventlog?

HTH

[1] http://www.sysinternals.com/ntw2k/source/misc.shtml#strings

Regards
Ansgar Wiechers
-- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.