ntsvc.exe

Navigation

Wang Nan

The application ntsvc.exe, “Net Service Event Handler” by Wang Nan has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “Net Service Event Handler”. This file is typically installed with the program searchult by Navigation. While running, it connects to the Internet address anubisnetworks.com on port 80 using the HTTP protocol.
Publisher:
Navigation Co., Ltd.  (signed by Wang Nan)

Product:
Navigation

Description:
Net Service Event Handler

Version:
2.0.1.7981

MD5:
95ba4e91848fde4447cf5c01143bdddf

SHA-1:
e3de8bbbd8135d73568fb00a2eb7595966e4b92e

SHA-256:
979a1073d76b4cf722195cb99a281d5cb7ca8c1b20aef28d7fcbded48f9ad544

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/25/2024 12:13:35 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Threat.WangNan
15.4.14.13

File size:
657.1 KB (672,824 bytes)

Product version:
2.0.1.7981

Copyright:
Navigation Copyright (C) 2013

Original file name:
ntsvc.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese

Common path:
C:\users\{user}\appdata\roaming\ntsvc\ntsvc.exe

Digital Signature
Signed by:

Authority:
WoSign CA Limited

Valid from:
7/22/2014 3:49:09 AM

Valid to:
7/22/2015 3:49:09 AM

Subject:
CN=Wang Nan, E=wangnan@oasgames.com, L=Luquan, S=Hebei, C=CN

Issuer:
CN=WoSign Class 2 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
2D2175D57FAB801CD9A1A92DE079F0EA

File PE Metadata
Compilation timestamp:
3/19/2015 1:05:37 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
12288:yy0p9eFIkV88HLUgTxFEnfSpNdT+BJI1xm16WRZTlkpQnFndhcYD6vZoJ:IeFiOUhSzT+v6WRZTCnYD6vZG

Entry address:
0x30D3E

Entry point:
E8, D0, 06, 01, 00, E9, 7F, FE, FF, FF, E8, 3F, A3, 00, 00, 69, 48, 14, FD, 43, 03, 00, 81, C1, C3, 9E, 26, 00, 89, 48, 14, C1, E9, 10, 81, E1, FF, 7F, 00, 00, 8B, C1, C3, 55, 8B, EC, E8, 1B, A3, 00, 00, 8B, 4D, 08, 89, 48, 14, 5D, C3, 55, 8B, EC, 83, 3D, 60, F2, 49, 00, 00, 75, 75, 8B, 55, 08, 85, D2, 75, 17, E8, 7D, 26, 00, 00, C7, 00, 16, 00, 00, 00, E8, CB, 66, 00, 00, B8, FF, FF, FF, 7F, 5D, C3, 8B, 4D, 0C, 85, C9, 74, E2, 53, 56, 57, 6A, 41, 5F, 6A, 5A, 2B, D1, 5B, 0F, B7, 04, 0A, 66, 3B, C7, 72, 0D...
 
[+]

Code size:
517 KB (529,408 bytes)

Service
Display name:
Net Service Event Handler

Service name:
Sed

Description:
Network service event handler for system.

Type:
Win32OwnProcess

Group:
Event log


The file ntsvc.exe has been discovered within the following program.

searchult  by Navigation
About 9% of users remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-91-52-229.compute-1.amazonaws.com  (52.91.52.229:80)

TCP (HTTP):
Connects to anubisnetworks.com  (195.22.26.248:80)

TCP (HTTP):
Connects to unallocated.barefruit.co.uk  (92.242.140.20:80)

TCP (HTTP):
Connects to ec2-52-201-213-112.compute-1.amazonaws.com  (52.201.213.112:80)

TCP (HTTP):
Connects to ip-50-63-202-46.ip.secureserver.net  (50.63.202.46:80)

TCP (HTTP):

Remove ntsvc.exe - Powered by Reason Core Security