Prevx Research Division
SERV.EXE
System Back DoorFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove SERV.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- System Back Door
- Malware Downloader
- Malware Dropper
File Behavior
SERV.EXE has been seen to perform the following behavior:
- Communicates with other computers using FTP connections
- This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Creates a Toolbar Extension for Internet Explorer
- This Process Deletes Other Processes From Disk
- Can communicate with other computer systems using HTTP protocols
- Writes to another Process's Virtual Memory (Process Hijacking)
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Executes a Process
- Creates a new Background Service on the machine
- Creates new folders on the system
- Injects code into other processes
- This Process is a file infector which modifies program files to include a copy of the infection
- This process creates other processes on disk
- Registers a Dynamic Link Library File
- This Process looks to see what security products and services are running on the system
- Sends mail without telling you
- Drops known malicious software during execution
- Uses DNS to retrieve the IP address for web sites
- Visits web sites on your PC without you knowing
- The Process is packed and/or encrypted using a software packing process
- Found on infected systems and resists interrogation by security products
SERV.EXE has been the subject of the following behavior:
- Executed from Temporary Folders
- Created as a process on disk
- Executed as a Process
- Deleted as a process from disk
- Has code inserted into its Virtual Memory space by other programs
- Created as a new Background Service on the machine
- Terminated as a Process
- Copied to multiple locations on the system
- Registered as a Dynamic Link Library File
- Created by processes which appear to be checking for interception by security products
- Added as a Registry auto start to load Program on Boot up
Country Of Origin
The filename SERV.EXE was first seen on May 10 2007 in the following geographical regions of the Webroot community:
- on May 10 2007
- Spain on May 10 2007
- Netherlands on Oct 15 2007
- Bulgaria on Oct 15 2007
- Malaysia on Nov 24 2007
- Turkey on Aug 10 2008
- Canada on Jan 11 2010
- Taiwan on Jan 11 2010
- Hungary on Feb 18 2011
- Thailand on Feb 18 2011
- South Africa on Mar 26 2013
File Name Aliases
SERV.EXE can also use the following file names:
- A3RF.EXE
- SERV.EXE.DEL
- SERV8.EXE
- BNET.EXE
- HDDD.EXE
- SEFV8.EXE
- BETD.EXE
- SERVICES.EXE
- SERV8[1].EXE
- DQ.EXE
- 2D67.FLV
- F6R6.EXE
- E2R0.EXE
- 13111.EX$
- 40119886.DAT
- 95658291.EXE
- 64624525.EXE
- 07274568.EXE
- 78102793.EXE
- 03302565.DAT
Filesizes
The following file size has been seen:
- 1,082,368 bytes
- 5,632 bytes
- 466,944 bytes
- 118,224 bytes
- 529,785 bytes
- 22,016 bytes
- 56,320 bytes
- 46,080 bytes
File Type
The filename SERV.EXE is used by multiple object types including executable programs,objects.
File Activity
One or more files with the name SERV.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\dwwin.exe
- Creates c:\windows\serv.exe
- Creates c:\4.tmp
- Creates c:\windows\system32\vsxmnarr.dll
- Creates c:\windows\system32\mciswups.exe
- Creates c:\windows\system32\wmerpgpc.dll
- Creates c:\windows\serv.dll
- Creates c:\windows\system32\e1.dll
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\jim\locals~1\temp\~D.tmp
- Deletes c:\docume~1\jim\locals~1\temp\~D.tmp
- Deletes c:\docume~1\jim\locals~1\temp\~14.tmp
- Deletes c:\docume~1\jim\locals~1\temp\~17.tmp
- Creates c:\docume~1\jim\locals~1\temp\6b4d_appcompat.txt
- Creates c:\docume~1\jim\locals~1\temp\6566_appcompat.txt
- Creates c:\docume~1\jim\locals~1\temp\6459_appcompat.txt
- Creates c:\docume~1\jim\locals~1\temp\4A331.dmp
Network Activity
One or more files with the name SERV.EXE performs the following network events:
- DNS Lookup www4.ertinmdesachlion.com
- DNS Lookup69.64.155.123 www4.ertinmdesachlion.com
- DNS Lookup67.195.168.31 a.mx.mail.yahoo.com
- DNS Lookup66.196.97.250 b.mx.mail.yahoo.com
- DNS Lookup216.39.53.3 c.mx.mail.yahoo.com
- DNS Lookup66.196.82.7 d.mx.mail.yahoo.com
- DNS Lookup216.39.53.1 e.mx.mail.yahoo.com
- DNS Lookup209.191.88.247 f.mx.mail.yahoo.com
- DNS Lookup209.191.118.103 g.mx.mail.yahoo.com
- DNS Lookup72.14.247.27 gmail-smtp-in.l.google.com
- DNS Lookup209.85.221.81 alt1.gmail-smtp-in.l.google.com
- DNS Lookup74.125.79.27 alt2.gmail-smtp-in.l.google.com
- DNS Lookup72.14.221.27 alt3.gmail-smtp-in.l.google.com
- DNS Lookup209.85.217.60 alt4.gmail-smtp-in.l.google.com
- DNS Lookup65.55.92.168 mx1.hotmail.com
- DNS Lookup65.55.92.184 mx2.hotmail.com
- DNS Lookup65.54.244.72 mx3.hotmail.com
- DNS Lookup65.54.244.104 mx4.hotmail.com
- DNS Lookup www6.ertinmdesachlion.com
- DNS Lookup69.64.155.123 www3.ertinmdesachlion.com
- DNS Lookup69.64.155.123 www6.ertinmdesachlion.com
- DNS Lookup www2.ertinmdesachlion.com
- DNS Lookup69.64.155.123 www2.ertinmdesachlion.com
- DNS Lookupcaptcha137 home-off-d5f0ac
- DNS Lookup72.236.167.138 fenris.dyn-o-saur.com
- DNS Lookup209.86.93.226 mx1.earthlink.net
- DNS Lookup209.86.93.227 mx2.earthlink.net
- DNS Lookup209.86.93.228 mx3.earthlink.net
- DNS Lookup209.86.93.229 mx4.earthlink.net
- DNS Lookup74.86.165.119 magicaljellybean.com
- DNS Lookup74.50.85.165 mail3.worldispnetwork.com
- DNS Lookup82.146.33.239 pop.freedownloadmanager.org
Website Activity
One or more files with the name SERV.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- www4 .ertinmdesachlion .com / chr / tdg / lt .exe
- www6 .ertinmdesachlion .com / chr / tdg / nt .exe
- www2 .ertinmdesachlion .com / cgi-bin / a .cgi
- Port 80 IP:69.64.155.123
- TCP:216.39.53.1:25 Port:17
- TCP:74.125.79.27:25 Port:13
- TCP:65.54.244.72:25 Port:13
- TCP:72.236.167.138:25 Port:20
- TCP:72.236.167.138:25 Port:19
- TCP:72.236.167.138:25 Port:20
- TCP:65.54.244.72:25 Port:21
- TCP:209.86.93.226:25 Port:21
- TCP:72.236.167.138:25 Port:21
- TCP:74.86.165.119:25 Port:20
- TCP:209.86.93.227:25 Port:21
- TCP:74.50.85.165:25 Port:21
- TCP:82.146.33.239:25 Port:21
- TCP:65.54.244.72:25 Port:22
- TCP:209.86.93.226:25 Port:22
- TCP:74.86.165.119:25 Port:23
- TCP:74.50.85.165:25 Port:24
- TCP:82.146.33.239:25 Port:21
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.