Srvany.exe: what could it be?

TDS3 found this on my machine:

Scan Control Dumped @ 00:14:59 07-02-05
Positive identification: Riskware.Tool.ServiceRunner.d
File: c:\windows\system32\srvany.exe
Size: 13.312 (13kb)
Version: 0.0.0
Type: unknown
Internal properties: unknown

What the heck could it be?

Is it dangerous or not?

I have searched internet, and there are so many explanations and opinions about srvany.exe, I don't know anymore what I should think about it.

For example at www.neuber.com I found this explanation:

What is srvany.exe? Is srvany.exe spyware or a virus?
Process name: Services Any
http://www.neuber.com/img/space.gif
Product: Windows NT Resource Kits
http://www.neuber.com/img/space.gif
Company: Microsoft
http://www.neuber.com/img/space.gif
File: srvany.exe
http://www.neuber.com/img/space.gif
Security Rating: http://www.neuber.com/img/spyrate1.gif


This utility allows running Windows NT™ applications as services.
The benefits include:
- allow apps to survive logoff/logon sequences, hence saving the overhead of re-starting them for each new user
- allow server apps to come-up and service requests even when no user is logged-on
- allow apps to run and perform a task in a specific logon account, different from the currently logged-on user Note: Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection!

End of the article.

Because the location is windows\system32, and I can not identify it as an original Microsoft file, I know the file is suspicious, and TDS3 is assuming the same.

Anybody who knows the right solution?

 

To be sure Smokey, just submit the file, submit@diamondcs.com.au

and the creators of TDS will analyse it and get back to u with the verdict on it.


snowbound

 

For what it's worth, after dropping a legitimate copy of srvany.exe (from the Windows Server 2003 Resource Kit) into my system32 directory, a TDS-3 scan did not flag it.

Nick

 

I have already sent the file to TDS3 support but no answer till yet, will send it again to the adress above.

 

Remember that DCS's tech support is from Mon-Fri. If the file does not reach 'em try sending it again.

 

I replaced it with a legimate copy, but still flagged by TDS3 as dangerous.....

Maybe a false positive?

But there must be a reason why TDS3 flagged it!

 

I already did

 

there is!

srvany.exe is widely used in xdcc autorooters ( rootkits ) to start the backdoor as a service

thats why the flag:Riskware.Tool.ServiceRunner.d
to determine if its dangerous or not you would have to know the target file, ie the executable that is started as a service using srvany.exe

if you wish i can post links to numerous hijack threads at various forums where srvany.exe has been used maliciously

 

Thanks for the explanation, why TDS3 flags the file!