× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 4c1096f2855ca7e6a043b312ea80921d3ce445630697eb4f4850ae842424a602
File name: services.exe
Detection ratio: 39 / 51
Analysis date: 2014-03-31 01:10:47 UTC ( 3 weeks, 2 days ago )
Antivirus Result Update
AVG Patched_c.LYU 20140330
Ad-Aware Trojan.Patched.Sirefef.C 20140331
AhnLab-V3 Win32/Zeroaccess.259072 20140330
AntiVir W32/Patched.UB 20140331
Avast Win32:Sirefef-AII [Rtk] 20140331
Baidu-International Trojan.Win32.Zeroaccess.42 20140330
BitDefender Trojan.Patched.Sirefef.C 20140331
Bkav W32.Cloddf3.Trojan.ecf1 20140329
CAT-QuickHeal Trojan.Agent.WD.cw4 20140330
ClamAV Trojan.Zeroaccess-473 20140331
Commtouch W32/Backdoor.EEKY-4949 20140331
Comodo UnclassifiedMalware 20140330
DrWeb BackDoor.Maxplus.5220 20140331
ESET-NOD32 Win32/Sirefef.FC 20140330
Emsisoft Trojan.Patched.Sirefef.C (B) 20140331
F-Prot W32/Backdoor2.HKZP 20140331
F-Secure Virus:W32/ZeroAccess.B 20140330
Fortinet W32/ZAccInf.B!tr 20140330
GData Trojan.Patched.Sirefef.C 20140331
Ikarus Virus.Win32.ZAccess 20140331
K7AntiVirus Trojan ( 003b22a81 ) 20140328
K7GW Trojan ( 003b22a81 ) 20140328
Kaspersky Virus.Win32.ZAccess.m 20140331
McAfee ZeroAccess.ds.gen.c 20140331
McAfee-GW-Edition ZeroAccess.ds.gen.c 20140330
MicroWorld-eScan Trojan.Patched.Sirefef.C 20140331
Microsoft Virus:Win32/Sirefef.R 20140331
NANO-Antivirus Trojan.Win32.ZAccess.bfjnax 20140330
Norman ZAccInf.A 20140330
Panda Trj/Agent.IVN 20140330
Qihoo-360 Trojan.Generic 20140331
Sophos Troj/ZAccInf-B 20140330
Symantec Trojan.Zeroaccess!inf4 20140331
TheHacker Trojan/Sirefef.fc 20140329
TotalDefense Win32/ZAccess.ES 20140330
TrendMicro TROJ_GEN.F0C6C0LFB13 20140331
TrendMicro-HouseCall TROJ_GEN.F0C6C0LFB13 20140330
VIPRE Trojan.Win32.Generic!BT 20140331
ViRobot Win32.ZeroAccess.A 20140330
AegisLab 20140331
Agnitum 20140330
Antiy-AVL 20140330
ByteHero 20140331
CMC 20140328
Jiangmin 20140330
Kingsoft 20140331
Malwarebytes 20140331
Rising 20140330
SUPERAntiSpyware 20140330
VBA32 20140328
nProtect 20140330
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block
Copyright
© Microsoft Corporation. All rights reserved.

Publisher Microsoft Corporation
Product Microsoft® Windows® Operating System
Original name services.exe.mui
Internal name services.exe
File version 6.1.7600.16385 (win7_rtm.090713-1255)
Description Services and Controller app
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2009-07-13 23:11:23
Link date 12:11 AM 7/14/2009
Entry Point 0x0001388A
Number of sections 4
PE sections
PE imports
SetUnhandledExceptionFilter
GetLastError
SetErrorMode
UnhandledExceptionFilter
SetLastError
FindNextFileW
FindFirstFileW
FindClose
CreateFileW
CreateDirectoryW
SetFileInformationByHandle
DuplicateHandle
CloseHandle
HeapCreate
HeapAlloc
HeapFree
HeapSetInformation
InterlockedExchange
InterlockedCompareExchange64
InterlockedCompareExchange
GetModuleHandleA
FreeLibrary
LoadStringW
LoadLibraryExW
GetProcAddress
GetModuleHandleW
RegGetKeySecurity
RegLoadMUIStringW
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegOpenKeyExW
RegSetKeySecurity
RegNotifyChangeKeyValue
RegQueryValueExW
LocalFree
LocalAlloc
Sleep
lstrlenW
ExpandEnvironmentStringsW
GetEnvironmentVariableW
GetProcessId
OpenThreadToken
DeleteProcThreadAttributeList
GetCurrentProcess
TerminateProcess
ResumeThread
OpenProcessToken
CreateThread
SetThreadPriority
GetCurrentProcessId
CreateProcessW
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
GetProcessTimes
SetProcessShutdownParameters
ExitThread
GetCurrentThreadId
CreateProcessAsUserW
GetCurrentThread
QueryPerformanceCounter
WaitForMultipleObjectsEx
EnterCriticalSection
CreateEventW
InitializeCriticalSection
OpenProcess
OpenEventW
WaitForSingleObject
SetEvent
ResetEvent
LeaveCriticalSection
GetSystemTime
GetTickCount
GetComputerNameExW
GetSystemTimeAsFileTime
GetVersionExW
SetSecurityDescriptorDacl
GetTokenInformation
RevertToSelf
SetKernelObjectSecurity
FreeSid
CopySid
GetKernelObjectSecurity
GetSecurityDescriptorDacl
AddAccessAllowedAce
SetTokenInformation
CheckTokenMembership
AdjustTokenPrivileges
InitializeAcl
EqualSid
AllocateAndInitializeSid
GetLengthSid
ImpersonateLoggedOnUser
SetSecurityDescriptorOwner
InitializeSecurityDescriptor
AddAce
AllocateLocallyUniqueId
LsaLookupOpenLocalPolicy
LsaLookupClose
LsaLookupGetDomainInfo
LsaLookupTranslateSids
LsaLookupFreeMemory
LsaLookupTranslateNames
LsaLookupManageSidNameMapping
ConvertSecurityDescriptorToStringSecurityDescriptorW
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
SystemFunction005
SystemFunction029
UuidFromStringW
RpcRevertToSelf
RpcServerSubscribeForNotification
RpcStringBindingParseW
RpcSsGetContextBinding
RpcBindingToStringBindingW
RpcImpersonateClient
RpcServerRegisterAuthInfoW
RpcAsyncAbortCall
RpcEpRegisterW
I_RpcMapWin32Status
RpcBindingFree
RpcServerInqBindings
I_RpcSessionStrictContextHandle
UuidEqual
RpcStringFreeW
RpcServerUnsubscribeForNotification
NdrServerCall2
I_RpcBindingIsClientLocal
RpcServerInqBindingHandle
RpcServerUseProtseqEpW
RpcBindingServerFromClient
UuidCreateNil
RpcServerInqDefaultPrincNameW
RpcServerUseProtseqW
RpcAsyncCompleteCall
RpcServerInqCallAttributesW
RpcServerRegisterIfEx
NdrAsyncServerCall
RpcServerInqCallAttributesA
I_RpcBindingInqLocalClientPID
UuidCreate
RpcBindingVectorFree
LogonUserExExW
_ultow_s
__p__fmode
wcstoul
memset
wcschr
_wcslwr
_ultow
_vsnwprintf
_cexit
?terminate@@YAXXZ
_ltow_s
memcpy
_wtol
exit
_XcptFilter
__setusermatherr
wcsrchr
_amsg_exit
_wcsicmp
_wcsnicmp
__p__commode
wcscspn
wcsncmp
__getmainargs
_controlfp
memmove
_except_handler4_common
time
wcsstr
_initterm
_exit
_ltow
__set_app_type
RtlConvertSharedToExclusive
DbgPrintEx
RtlUnicodeStringToInteger
RtlAppendUnicodeStringToString
RtlDeleteSecurityObject
RtlCreateSecurityDescriptor
NtQuerySymbolicLinkObject
RtlSetGroupSecurityDescriptor
NtOpenThreadToken
RtlInitializeCriticalSection
RtlValidSecurityDescriptor
NtOpenSymbolicLinkObject
RtlLengthRequiredSid
RtlConvertExclusiveToShared
RtlQuerySecurityObject
RtlAllocateHeap
NtDeleteValueKey
NtSetInformationProcess
RtlNtStatusToDosError
NtWaitForSingleObject
NtLoadDriver
RtlFreeUnicodeString
EtwRegisterTraceGuidsW
RtlAppendUnicodeToString
RtlInitializeSid
NtDuplicateToken
RtlLengthSecurityDescriptor
RtlAcquireSRWLockExclusive
RtlSetControlSecurityDescriptor
RtlAreAllAccessesGranted
NtQueryKey
NtSetEvent
NtQueryDirectoryObject
RtlAcquireResourceExclusive
EtwGetTraceEnableFlags
NtQueryValueKey
RtlCreateServiceSid
RtlEqualUnicodeString
NtFlushKey
NtSetSystemEnvironmentValue
RtlUnicodeStringToAnsiString
RtlDeregisterWait
RtlCopySid
RtlInitializeSRWLock
NtQuerySystemInformation
NtSetValueKey
RtlRegisterWait
RtlCreateAcl
EtwEventRegister
RtlSubAuthorityCountSid
NtQueryInformationFile
RtlSetDaclSecurityDescriptor
NtOpenThread
NtEnumerateKey
NtFilterToken
RtlAddAce
RtlInitUnicodeString
RtlSubAuthoritySid
NtSetInformationFile
NtCreateKey
EtwGetTraceEnableLevel
RtlAcquireResourceShared
RtlSetEnvironmentVariable
RtlSetProcessIsCritical
EtwTraceMessage
NtQueueApcThread
RtlUnhandledExceptionFilter
NtDeleteFile
RtlAnsiStringToUnicodeString
NtPrivilegeCheck
RtlNtStatusToDosErrorNoTeb
RtlExpandEnvironmentStrings_U
RtlMapGenericMask
NtTraceControl
NtInitializeRegistry
RtlDosPathNameToNtPathName_U
RtlLengthSid
RtlGetNtProductType
RtlInitAnsiString
NtOpenProcessToken
WinSqmAddToStream
RtlCopyLuid
RtlNewSecurityObject
NtShutdownSystem
RtlInitializeResource
NtAccessCheck
RtlValidRelativeSecurityDescriptor
NtClose
NtQueryInformationToken
RtlCopyUnicodeString
NtSetInformationThread
NtPrivilegeObjectAuditAlarm
NtOpenDirectoryObject
NtAccessCheckAndAuditAlarm
NtUnloadDriver
RtlSetSecurityObject
RtlSetSaclSecurityDescriptor
EvtIntReportEventAndSourceAsync
NtDeleteObjectAuditAlarm
RtlQueueWorkItem
RtlAcquireSRWLockShared
NtCloseObjectAuditAlarm
RtlAdjustPrivilege
NtOpenFile
EtwGetTraceLoggerHandle
NtQueryDirectoryFile
NtDeleteKey
RtlFreeHeap
RtlSetLastWin32Error
EtwEventWrite
RtlCompareUnicodeString
RtlReleaseSRWLockShared
NtOpenKey
RtlReleaseSRWLockExclusive
RtlReleaseResource
NtAdjustPrivilegesToken
RtlSetOwnerSecurityDescriptor
Ord(101)
Ord(106)
Ord(105)
Ord(102)
Number of PE resources by type
RT_MANIFEST 1
WEVT_TEMPLATE 1
MUI 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 4
ExifTool file metadata
SubsystemVersion
6.1

LinkerVersion
9.0

ImageVersion
6.1

FileSubtype
0

FileVersionNumber
6.1.7600.16385

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
38400

FileOS
Windows NT 32-bit

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.1.7600.16385 (win7_rtm.090713-1255)

TimeStamp
2009:07:14 00:11:23+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
services.exe

FileAccessDate
2014:03:31 02:06:55+01:00

ProductVersion
6.1.7600.16385

FileDescription
Services and Controller app

OSVersion
6.1

FileCreateDate
2014:03:31 02:06:55+01:00

OriginalFilename
services.exe

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
218624

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.1.7600.16385

EntryPoint
0x1388a

ObjectFileType
Executable application

Compressed bundles
File identification
MD5 a302bbff2a7278c0e239ee5d471d86a9
SHA1 982337db5b7b58a090156fad6f305397787ffd67
SHA256 4c1096f2855ca7e6a043b312ea80921d3ce445630697eb4f4850ae842424a602
ssdeep
6144:5lMlQV2agWccMdwo6vQHLS0iVtq/3PmRJC:5l9VIC2wX4+0iV43+

imphash 7554e509802ea52a1d02bbb4506cae72
File size 253.0 KB ( 259072 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Dynamic Link Library (generic) (43.5%)
Win32 Executable (generic) (29.8%)
Generic Win/DOS Executable (13.2%)
DOS Executable Generic (13.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Tags
peexe mz

VirusTotal metadata
First submission 2012-05-31 20:33:36 UTC ( 1 year, 10 months ago )
Last submission 2014-03-31 01:10:47 UTC ( 3 weeks, 2 days ago )
File names services.exe1
servicesbkp.exe
$$DeleteMe.services.exe.01cd76cb81848bf8.0000
services.exevr
vti-rescan
services.exe.vir
service1s.exe
services.exe$
services.e11
services_virus.exe
_services.exe
services.exe.mui
services.dll
services-b.exe
tsk0000.dta
services.exe
xxx.exexx
services.exe.000
services.exe.rootkit
services.exe
$$DeleteMe.services.exe.01cd6520fd4c6461.0000
services.exe.org
SERVICES.EXE
Services.exe
zz-services.tmp
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!