services.exe

The executable services.exe has been detected as malware by 48 anti-virus scanners. This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Tok-Cirrhatus’. Additionally, the file is typically installed by a number of programs including Rich Media Player by Radiocom and istartsurf uninstall by Skytech, both potentially unwanted software. While running, it connects to the Internet address ats.sbs.vip.dc11.lumsb.com on port 443.
MD5:
483fcf432217d71544246aa760d98cdc

SHA-1:
591b0ec52ad2a306f1cf8af2fc04125642b1a00b

SHA-256:
70d98b736c32160617e8e272c2f5b2c10c72789fe40e27ec16f94ffa09394cd7

Scanner detections:
48 / 68

Status:
Malware

Analysis date:
2/17/2017 10:36:47 PM UTC  (nine months ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Worm.Generic.237277
1140

Agnitum Outpost
Trojan.Kryptik
7.1.1

AhnLab V3 Security
Win32/Brontok.worm.42687.B
2013.12.22

Avira AntiVirus
Worm/Brontok.C
7.11.121.78

Antiy Labs AVL
Worm/Win32.Brontok
2.0.3.7

avast!
Win32:Rontokbr-L [Wrm]
2014.9-131222

AVG
I-Worm/Brontok
2014.0.3618

Baidu Antivirus
Email-Worm.Win32.Brontok
4.0.3.131222

Bitdefender
Worm.Generic.237277
1.0.20.1780

Bkav FE
W32.BrontokQ
1.3.0.4613

Clam AntiVirus
Worm.Brontok.E
0.98/18355

CMC Antivirus
Generic.Win32.483fcf4322!MD
1.1.0.977

Commtouch SDK
W32/Brontok.C.gen!Eldorado
5.4.1.7

Comodo Security
Worm.Win32.Brontok.AQ
17480

Dr.Web
Win32.Virut.5
9.0.1.05190

Emsisoft Anti-Malware
Worm.Generic.237277
11.5.0.6191

ESET NOD32
Win32/Brontok.AQ worm
6.3.12010.0

Fortinet FortiGate
W32/Brontok.C@mm
12/22/2013

F-Prot
W32/Brontok.EX@mm
4.6.5.141

F-Secure
Worm.Generic.237277
11.2013-22-12_1

G Data
Worm.Generic.237277
13.12.22

IKARUS anti.virus
Email-Worm.Win32.Brontok
t3scan.2.2.29

Jiangmin
Worm/Brontok.ww
KV131222

K7 AntiVirus
EmailWorm
13.174.10588

K7 Gateway Antivirus
EmailWorm
13.174.10588

Kaspersky
Trojan.Win32.Genome
15.0.2.529

Kingsoft AntiVirus
Worm.MailBrontok.b.(kcloud)
331020.49267

Malwarebytes
Trojan.Dropper
v2013.12.22.07

McAfee
W32/Rontokbro.gen@MM
5600.7274

McAfee Web Gateway
Heuristic.BehavesLike.Win32.Suspicious-BAY.K
7.7274

Microsoft Security Essentials
Worm:Win32/Brontok.BU@mm
1.165.247.01

MicroWorld eScan
Worm.Generic.237277
14.0.0.1068

NANO AntiVirus
Trojan.Win32.Brontok.bmcat
0.28.0.57029

Norman
Alman.E
11.20131222

nProtect
Worm/W32.Brontok.42687
13.12.22.01

Panda Antivirus
W32/Brontok.GS.worm
13.12.22.07

Quick Heal
W32.Brontok.Q
12.13.12.00

Reason Heuristics
Win32.Generic
17.2.17.17

Rising Antivirus
PE:Trojan.Win32.Generic.11EBC5C7!300664263
23.00.65.131220

Sophos
W32/Brontok-D
4.96

SUPERAntiSpyware
Trojan.Agent/Gen-Loader
10892

The Hacker
Trojan/Kryptik.as
6.8.0.12.356

Total Defense
Win32/Robknot.T
37.0.10653

Trend Micro House Call
WORM_RONTKBR.F
7.2.356

Trend Micro
WORM_RONTKBR.F
10.465.22

Vba32 AntiVirus
SIM.Trojan.VBO.01035
3.12.24.3

VIPRE Antivirus
Trojan.Win32.Generic
24622

ViRobot
I-Worm.Win32.Brontok.42687.B
2011.4.7.4223

File size:
41.7 KB (42,687 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\services.exe

File PE Metadata
OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

CTPH (ssdeep):
768:J/n/s4NzTSD5IZfRrbjOmd2VZX+DNxEUKbO5/Pd4PV2g1Q3qv35BMCV:JsgToKHSmdkIDNxfdPy35B

Entry address:
0x2F4A6

Entry point:
E9, A9, 0C, FD, FF, 0C, 50, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 7D, F4, 02, 00, 0C, 50, 02, 00...
 
[+]

Packer / compiler:
RLPack FullEdition V1.1X * Sign.By.fly

Code size:
512 Bytes (512 bytes)

Mozilla Extension
Name:
extensions.exe

Id:
extensions


Scheduled Task
Task name:
At1

Trigger:
Weekly (Runs weekly on Tuesdays at 5:08 PM)

Description:
Created by NetScheduleJobAdd.


Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Tok-Cirrhatus

Command:
"C:\users\{user}\appdata\local\smss.exe"


The file services.exe has been discovered within the following programs.

BitGuard  by MediaTechSoft Inc.
BitGuard also known as BProtector, Application Manager and Browser Protector is an application designed to prevent the removal of software installed by the provider and affiliates (including web browser extensions deployed by PerformerSoft).
www.mediatechsoft.com/contact.html
74% remove it
BS Player ControlBar B Toolbar for IE  by Client Connect LTD
BS Player ControlBar (powerd by the Trovi platform) is a browser toolbar that will modify the web browser's home page, search provider and new tab pages by setting setting it to trovi.com (or a parnter website).
BSPlayerControlBarB.OurToolbar.com
81% remove it
istartsurf uninstall  by Skytech
istartsurf is an advertising supported (adware) extension that runs in the context of the user's web browser as well as a process in the background.
79% remove it
Rich Media Player  by Radiocom
This is advertising supported software per the Terms: "There may be times when You will be directly presented with offers for additional content, software, services, or a combination of any of these things when downloading, installing, using, or updating the Software.
www.richmediaplayer.com
About 65% of users remove it
 
Powered by Should I Remove It?

The file services.exe has been seen being distributed by the following 6 URLs.

temp:Arquivos recebidos.exe

temp:racionais 2001.exe

temp:my_video.exe

temp:Data PAMELA.exe

temp:My Musik.exe

temp:stelin.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ats.sbs.vip.dc11.lumsb.com  (8.12.146.61:443)

TCP (HTTP SSL):
Connects to media-router-fp1.prod.media.vip.bf1.yahoo.com  (98.139.180.180:443)

TCP (HTTP SSL):
Connects to ir2.fp.vip.bf1.yahoo.com  (98.139.183.24:443)

TCP (HTTP SSL):
Connects to ir1.fp.vip.bf1.yahoo.com  (98.139.180.149:443)

TCP (HTTP SSL):
Connects to media-router-fp1.prod.media.vip.ne1.yahoo.com  (98.138.252.38:443)

TCP (HTTP SSL):
Connects to ir1.fp.vip.sg3.yahoo.com  (106.10.139.246:443)

TCP (HTTP SSL):
Connects to e1-ha.ycpi.bra.yahoo.com  (200.152.162.189:443)

TCP (HTTP SSL):
Connects to e1.ycpi.vip.bra.yahoo.com  (200.152.162.135:443)

TCP (HTTP SSL):
Connects to e2.ycpi.vip.bra.yahoo.com  (200.152.162.161:443)

Remove services.exe - Powered by Reason Core Security