Srvany.exe: what could it be?

Discussion in 'malware problems & news' started by Smokey, Feb 6, 2005.

Thread Status:
Not open for further replies.
  1. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    TDS3 found this on my machine:

    Scan Control Dumped @ 00:14:59 07-02-05
    Positive identification: Riskware.Tool.ServiceRunner.d
    File: c:\windows\system32\srvany.exe

    Size: 13.312 (13kb)
    Version: 0.0.0
    Type: unknown
    Internal properties: unknown

    What the heck could it be?

    Is it dangerous or not?

    I have searched internet, and there are so many explanations and opinions about srvany.exe, I don't know anymore what I should think about it.

    For example at www.neuber.com I found this explanation:

    What is srvany.exe? Is srvany.exe spyware or a virus?
    Process name: Services Any
    http://www.neuber.com/img/space.gif
    Product: Windows NT Resource Kits
    http://www.neuber.com/img/space.gif
    Company: Microsoft
    http://www.neuber.com/img/space.gif
    File: srvany.exe
    http://www.neuber.com/img/space.gif
    Security Rating: http://www.neuber.com/img/spyrate1.gif


    This utility allows running Windows NT™ applications as services.
    The benefits include:
    - allow apps to survive logoff/logon sequences, hence saving the overhead of re-starting them for each new user
    - allow server apps to come-up and service requests even when no user is logged-on
    - allow apps to run and perform a task in a specific logon account, different from the currently logged-on user Note: Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection!

    End of the article.

    Because the location is windows\system32, and I can not identify it as an original Microsoft file, I know the file is suspicious, and TDS3 is assuming the same.

    Anybody who knows the right solution?
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    To be sure Smokey, just submit the file, submit@diamondcs.com.au

    and the creators of TDS will analyse it and get back to u with the verdict on it.


    snowbound
     
  3. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    For what it's worth, after dropping a legitimate copy of srvany.exe (from the Windows Server 2003 Resource Kit) into my system32 directory, a TDS-3 scan did not flag it.

    Nick
     
  4. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    I have already sent the file to TDS3 support but no answer till yet, will send it again to the adress above.
     
  5. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Remember that DCS's tech support is from Mon-Fri. If the file does not reach 'em try sending it again.
     
  6. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    I replaced it with a legimate copy, but still flagged by TDS3 as dangerous.....

    Maybe a false positive?

    But there must be a reason why TDS3 flagged it!
     
  7. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    I already did;)
     
  8. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    there is!

    srvany.exe is widely used in xdcc autorooters ( rootkits ) to start the backdoor as a service

    thats why the flag:Riskware.Tool.ServiceRunner.d
    to determine if its dangerous or not you would have to know the target file, ie the executable that is started as a service using srvany.exe

    if you wish i can post links to numerous hijack threads at various forums where srvany.exe has been used maliciously
     
  9. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Thanks for the explanation, why TDS3 flags the file!
     
Loading...
Thread Status:
Not open for further replies.