services.exe

The executable services.exe has been detected as malware by 41 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler named avaavaevy triggered by a time event. This file is typically installed with the program webssearches uninstall by Hefei Zhimingxingtong Software&Technology Co., Ltd. which is a potentially unwanted software program. While running, it connects to the Internet address media-router-fp1.prod.media.vip.bf1.yahoo.com on port 443.
MD5:
ef44b817dceb4c3bfd21fd3d08b5d28d

SHA-1:
5cfe3e6816b989c1ddc1415dd7a257d41a0fbf74

SHA-256:
c47e8581dd463ca08ed499ba1199583a04b5bdaf6f49523f21a0b48c31d6a444

Scanner detections:
41 / 68

Status:
Malware

Analysis date:
12/26/2024 12:38:20 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Win32.Brontok.MK
652

Agnitum Outpost
I-Worm.Brontok
7.1.1

AhnLab V3 Security
Win32/Brontok.worm.42667
2015.04.21

Avira AntiVirus
WORM/Brontok.C
3.6.1.96

avast!
Win32:Rontokbr-L [Wrm]
2014.9-150423

AVG
Worm/Brontok
2016.0.3130

Baidu Antivirus
Trojan.Win32.FakeFolder
4.0.3.15423

Bitdefender
Win32.Brontok.MK
1.0.20.565

Bkav FE
W32.RontokbroHK
1.3.0.6379

Clam AntiVirus
Worm.Brontok.E
0.98/21511

Comodo Security
Packed.Win32.Packer.~GEN
21835

Dr.Web
Win32.Virut.5
9.0.1.0113

Emsisoft Anti-Malware
Win32.Brontok.MK
8.15.04.23.03

ESET NOD32
Win32/Brontok
9.11503

Fortinet FortiGate
W32/Brontok.C@mm
4/23/2015

F-Prot
W32/EmailWorm.GS
v6.4.7.1.166

F-Secure
Win32.Brontok.MK
11.2015-23-04_5

G Data
Win32.Brontok.MK
15.4.25

IKARUS anti.virus
Email-Worm.Win32.Brontok
t3scan.1.8.9.0

K7 AntiVirus
Trojan
13.202.15649

Kaspersky
Trojan.Win32.Genome
14.0.0.2147

Malwarebytes
Trojan.Dropper
v2015.04.23.03

McAfee
W32/Rontokbro.gen@MM
5600.6786

Microsoft Security Essentials
Worm:Win32/Brontok@mm
1.1.11502.0

MicroWorld eScan
Win32.Brontok.MK
16.0.0.339

NANO AntiVirus
Trojan.Win32.Brontok.bmcat
0.30.16.1110

Norman
Alman.E
11.20150423

nProtect
Worm/W32.Brontok.42667
15.04.20.01

Panda Antivirus
W32/Brontok.GS.worm
15.04.23.03

Qihoo 360 Security
Win32/Trojan.4a4
1.0.0.1015

Quick Heal
W32.Brontok.Q
4.15.14.00

Rising Antivirus
PE:Trojan.Win32.Generic.13334469!322126953
23.00.65.15421

Sophos
W32/Brontok-Gen
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-FakeSec
9918

Total Defense
Win32/Robknot.EB
37.1.62.1

Trend Micro House Call
WORM_RONTOKBR.CF
7.2.113

Trend Micro
WORM_RONTOKBR.CF
10.465.23

Vba32 AntiVirus
Worm.Brontok
3.12.26.3

VIPRE Antivirus
Email-Worm.Win32.Brontok.a
39516

ViRobot
I-Worm.Win32.Brontok.42667.A[h]
2014.3.20.0

Zillya! Antivirus
Worm.Brontok.Win32.914
2.0.0.2145

File size:
41.7 KB (42,667 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\services.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

CTPH (ssdeep):
768:yzL/a40DKwDRxMXyfSI0tVqoNbpVeMOxMp6qX2Yv35BMCU:MafVleX4gioNLCMp9225A

Entry address:
0x2F492

Entry point:
E9, BD, 0C, FD, FF, 0C, 50, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 69, F4, 02, 00, 0C, 50, 02, 00...
 
[+]

Entropy:
7.2795

Packer / compiler:
RLPack FullEdition V1.1X

Code size:
512 Bytes (512 bytes)

Scheduled Task
Task name:
avaavaevy

Trigger:
Time


The file services.exe has been discovered within the following program.

webssearches uninstall  by Hefei Zhimingxingtong Software&Technology Co., Ltd.
webssearches is an adware (advertising supported) web browser application that is designed to display banner ads as well as contextual link ads (such as hyperlinks the user will see underlined).
83% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ats.sbs.vip.dc11.lumsb.com  (8.12.146.61:443)

TCP (HTTP):
Connects to clipart.geo.vip.bf1.yahoo.com  (98.137.201.117:80)

TCP (HTTP SSL):
Connects to ir2.fp.vip.bf1.yahoo.com  (98.139.183.24:443)

TCP (HTTP SSL):
Connects to media-router-fp1.prod.media.vip.ne1.yahoo.com  (98.138.252.38:443)

TCP (HTTP SSL):
Connects to media-router-fp1.prod.media.vip.bf1.yahoo.com  (98.139.180.180:443)

TCP (HTTP SSL):
Connects to ir1.fp.vip.bf1.yahoo.com  (98.139.180.149:443)

TCP (HTTP):

TCP (HTTP SSL):
Connects to e2.ycpi.vip.bra.yahoo.com  (200.152.162.161:443)

TCP (HTTP SSL):
Connects to e1.ycpi.vip.bra.yahoo.com  (200.152.162.135:443)

Remove services.exe - Powered by Reason Core Security