service5.exe - Dangerous
service5.exe
Manual removal instructions:
Antivirus Report of service5.exe:
service5.exe
W32.HLLW.Gaobot.AG is a minor variant of W32.HLLW.Gaobot.AE.
It attempts to spread to network shares that have weak passwords and allows attackers to access an infected computer through an IRC channel.
Opens a randomly chosen TCP port to connect to the attacker.
Connects to a predefined IRC channel, using its own IRC client, and listens for the special commands from the attacker.
When the worm runs, it allows the attacker to remotely control a compromised computer, allowing him/her to perform any of the following actions:
1. Manage the installation of the worm
2. Dynamically update the installed worm
3. Download and execute files
4. Steal a compromised system's information
5. Send the worm to other IRC users
6. Add accounts for the hacker
Sends data to TCP port 135, which exploits the DCOM RPC vulnerability, or sends data to TCP port 445 to exploit the RPC locator vulnerability.
Probes administrative shares using the following user/password combinations, in addition to the user names found on the remote computer, as the NetUserEnum() API determined.
Also, peforms the following actions:
1. After accessing vulnerable computers, the worm copies and executes itself on the new computers.
2. Steals CD keys of the different games.
3. Inventories the active processes and, if it is the name of the firewall and antivirus process the worm attempts to terminate it.
4. Attemps to kill all the running processes that other worms have dropped.
5. Can perform the following types of Denial of Service (DoS) attacks: Ping flood, TCP SYN flood, UDP flood.
This worm adds the value:
"MS Security Hotfix"="service5.exe"
to these registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Use RegRun Startup Optimizer to automatically remove it from startup.
service5.exe | Malware |
service5.exe | Dangerous |
service5.exe | High Risk |
It attempts to spread to network shares that have weak passwords and allows attackers to access an infected computer through an IRC channel.
Opens a randomly chosen TCP port to connect to the attacker.
Connects to a predefined IRC channel, using its own IRC client, and listens for the special commands from the attacker.
When the worm runs, it allows the attacker to remotely control a compromised computer, allowing him/her to perform any of the following actions:
1. Manage the installation of the worm
2. Dynamically update the installed worm
3. Download and execute files
4. Steal a compromised system's information
5. Send the worm to other IRC users
6. Add accounts for the hacker
Sends data to TCP port 135, which exploits the DCOM RPC vulnerability, or sends data to TCP port 445 to exploit the RPC locator vulnerability.
Probes administrative shares using the following user/password combinations, in addition to the user names found on the remote computer, as the NetUserEnum() API determined.
Also, peforms the following actions:
1. After accessing vulnerable computers, the worm copies and executes itself on the new computers.
2. Steals CD keys of the different games.
3. Inventories the active processes and, if it is the name of the firewall and antivirus process the worm attempts to terminate it.
4. Attemps to kill all the running processes that other worms have dropped.
5. Can perform the following types of Denial of Service (DoS) attacks: Ping flood, TCP SYN flood, UDP flood.
This worm adds the value:
"MS Security Hotfix"="service5.exe"
to these registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Use RegRun Startup Optimizer to automatically remove it from startup.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.