Process File: services or services.exe
Process Name: Windows Service Controller

Description:
services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the comptuers boot-up and the stopping of servicse during shut-down. This program is important for the stable and secure running of your computer and should not be terminated. Note: services.exe is also a process which is registered as the W32.Randex.R Trojan. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately. Please see additional details regarding this process

W32.Randex.R is a network-aware worm that spreads itself through shared network drives as the file, Service.exe.

The worm receives instructions from an IRC channel on a specific IRC server. One such command triggers the aforementioned spreading.

W32.Randex.R may open ports 20, 113, 445, 1024, 55808. It also opens randomly selected ports.

Also Known As: W32/Sdbot.worm.gen [McAfee], Backdoor.SdBot.gen [Kaspersky]

Type: Worm
Infection Length: 23,072 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX

When W32.Randex.R is executed, it performs the following actions:

1. Copies itself to one of the following locations:

%System%\service.exe
%System%\svhost.exe
%System%\pointer32.exe

Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Calculates a random IP address for a computer to infect.

3. Enumerates the shared resources on a targeted computer with the aforementioned randomly generated IP addresses.

4. Attempts to authenticate itself to the targeted computer, using the following user names and passwords:

User Name
admin
administrator
database
guest
owner
root
sql
sqlagent
system
user
wwwadmin

Passwords
admin
administrator
asdf
asdfgh
database
guest
hidden
owner
pass123
pass
password123
password
root
secret
server
sql
sqlagent
system
user
wwwadmin
1
111
123
1234
123456
654321
!@#$
!@#$%
!@#$%^
!@#$%^&
!@#$%^&*

5. Once authenticated, copies itself to the shared drive on a targeted computer as one of the following:

Service.exe
Intdll.exe

and then executes it.

6. Adds one of the following values:

“Windows Services” = “service.exe”
“Microsoft Internet Exploerer” = “svhost.exe”
“Microsoft Mouse Driver Ver 3.0” = “pointer32.exe”

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

7. Connects to a specific IRC channel on a specific IRC server to receive remote instructions, such as:
* ntscan: Performs the scan for the computers with weak administrator passwords and copies itself to these computers.
* DDoS: Performs flooding, using syn, ping, or UDP packets.
* sysinfo: Retrieves the infected computer's information, such as CPU speed, memory, and so on.
* update: Downloads files, may be its own updated version, and then executes them.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe mode or VGA mode.
4. Run a full system scan and delete all the files detected as W32.Randex.R.
5. Delete the values that were added to the registry.

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, “Antivirus Tools Cannot Clean Infected Files in the _Restore Folder,” Article ID: Q263455.