services.exe

The executable services.exe has been detected as malware by 35 anti-virus scanners. While running, it connects to the Internet address www.ovip.icq.com on port 80 using the HTTP protocol.
MD5:
e5c953efceafa7e91819de8b91f0a3bd

SHA-1:
951369e0c216c5b7bf3b60333b33866db70e6644

SHA-256:
94ae34a3a9c420b49cb04946172406b3dc362671564badcdb1c85fc4e8a40de6

Scanner detections:
35 / 68

Status:
Malware

Analysis date:
12/25/2024 2:07:33 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Backdoor.Prorat.AR1
7.1.1

AhnLab V3 Security
Trojan/Win32.Prorat
2013.05.04

Avira AntiVirus
BDS/Prorat.19.i.A
7.11.76.4

avast!
Win32:Prorat-IR [Trj]
2014.9-140112

AVG
BackDoor.Generic3
2015.0.3597

Bitdefender
Backdoor.Generic.311308
1.0.20.60

Clam AntiVirus
Trojan.Prorat.19-55
0.98/18155

Comodo Security
Backdoor.Win32.Agent.AVW85
16159

Dr.Web
Trojan.DownLoad1.39115
9.0.1.012

Emsisoft Anti-Malware
Backdoor.Generic.311308
8.14.01.12.04

ESET NOD32
Win32/Prorat.19
8.8295

Fortinet FortiGate
W32/Prorat.I!tr.bdr
1/12/2014

F-Prot
W32/ProratP.A
v6.4.7.1.166

F-Secure
Backdoor.Generic.311308
11.2014-12-01_1

G Data
Backdoor.Generic.311308
14.1.22

IKARUS anti.virus
Backdoor.Win32.Prorat
t3scan.2.0.0.0

K7 AntiVirus
Backdoor
13.166.8625

Kaspersky
Backdoor.Win32.Prorat
14.0.0.4479

Malwarebytes
Backdoor.Prorat
v2014.01.12.04

McAfee
BackDoor-AVW
5600.7253

Microsoft Security Essentials
Backdoor:Win32/Prorat.L
1.163.1557.0

MicroWorld eScan
Backdoor.Generic.311308
15.0.0.36

NANO AntiVirus
Trojan.Win32.Prorat.dlee
0.24.0.52214

Norman
Prorat.gen1
11.20140112

nProtect
Backdoor/W32.Prorat.350764.E
13.05.04.02

Panda Antivirus
Bck/Prorat.X
14.01.12.04

Quick Heal
Backdoor.Prorat.19.i.n3
1.14.12.00

Sophos
Troj/Prorat-19
4.88

SUPERAntiSpyware
Trojan.Agent/Gen-Prorat
10851

Total Defense
Win32/ProRat.L
37.0.10406

Trend Micro House Call
TROJ_GEN.R4FH1KL
7.2.12

Trend Micro
BKDR_PRORAT.SMM
10.465.12

Vba32 AntiVirus
Backdoor.VB
3.12.22.0

VIPRE Antivirus
BehavesLike.Win32.Malware.ssc (mx-v)
17432

ViRobot
Backdoor.Win32.Prorat.350764.M
2011.4.7.4223

File size:
342.5 KB (350,764 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\windows\services.exe

File PE Metadata
Compilation timestamp:
11/19/2004 1:19:18 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.0

CTPH (ssdeep):
6144:DRqmpp+amNOGokzLyM9tsLAitQo6tzOKkzIt8gKyfjxfR9D2j4y4QM5usT:VqmpplpGoGL3etQoMiXM8gxf/Sj4yYA0

Entry address:
0x1FA4B0

Entry point:
60, BE, 00, 60, 5A, 00, 8D, BE, 00, B0, E5, FF, C7, 87, 1C, 70, 1D, 00, 07, 5A, 58, 8B, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 19, 8B, 1E, 83, EE, FC, 11, DB, 72, 10, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 78, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:
340 KB (348,160 bytes)

Policies Explorer Run
Name:
DirectX For Microsoft® Windows


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to www.ovip.icq.com  (178.237.20.20:80)

Remove services.exe - Powered by Reason Core Security