Srvany.exe: what could it be?

Discussion in 'malware problems & news' started by Smokey, Feb 6, 2005.

Thread Status:
Not open for further replies.
  1. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    TDS3 found this on my machine:

    Scan Control Dumped @ 00:14:59 07-02-05
    Positive identification: Riskware.Tool.ServiceRunner.d
    File: c:\windows\system32\srvany.exe

    Size: 13.312 (13kb)
    Version: 0.0.0
    Type: unknown
    Internal properties: unknown

    What the heck could it be?

    Is it dangerous or not?

    I have searched internet, and there are so many explanations and opinions about srvany.exe, I don't know anymore what I should think about it.

    For example at www.neuber.com I found this explanation:

    What is srvany.exe? Is srvany.exe spyware or a virus?
    Process name: Services Any
    http://www.neuber.com/img/space.gif
    Product: Windows NT Resource Kits
    http://www.neuber.com/img/space.gif
    Company: Microsoft
    http://www.neuber.com/img/space.gif
    File: srvany.exe
    http://www.neuber.com/img/space.gif
    Security Rating: http://www.neuber.com/img/spyrate1.gif


    This utility allows running Windows NT™ applications as services.
    The benefits include:
    - allow apps to survive logoff/logon sequences, hence saving the overhead of re-starting them for each new user
    - allow server apps to come-up and service requests even when no user is logged-on
    - allow apps to run and perform a task in a specific logon account, different from the currently logged-on user Note: Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection!

    End of the article.

    Because the location is windows\system32, and I can not identify it as an original Microsoft file, I know the file is suspicious, and TDS3 is assuming the same.

    Anybody who knows the right solution?
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    To be sure Smokey, just submit the file, submit@diamondcs.com.au

    and the creators of TDS will analyse it and get back to u with the verdict on it.


    snowbound
     
  3. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    For what it's worth, after dropping a legitimate copy of srvany.exe (from the Windows Server 2003 Resource Kit) into my system32 directory, a TDS-3 scan did not flag it.

    Nick
     
  4. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    I have already sent the file to TDS3 support but no answer till yet, will send it again to the adress above.
     
  5. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Remember that DCS's tech support is from Mon-Fri. If the file does not reach 'em try sending it again.
     
  6. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    I replaced it with a legimate copy, but still flagged by TDS3 as dangerous.....

    Maybe a false positive?

    But there must be a reason why TDS3 flagged it!
     
  7. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    I already did;)
     
  8. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    there is!

    srvany.exe is widely used in xdcc autorooters ( rootkits ) to start the backdoor as a service

    thats why the flag:Riskware.Tool.ServiceRunner.d
    to determine if its dangerous or not you would have to know the target file, ie the executable that is started as a service using srvany.exe

    if you wish i can post links to numerous hijack threads at various forums where srvany.exe has been used maliciously
     
  9. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    Thanks for the explanation, why TDS3 flags the file!
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.