Forums
Main Category
General (Technical,...
strange windows ser...
 
Notifications
Clear all

strange windows services

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by keydet89 10 years ago
4 Posts
3 Users
0 Reactions
473 Views
RSS
 pimp
(@pimp)
Active Member
Joined: 11 years ago
Posts: 18
Topic starter 11/10/2015 5:31 pm  

I have found the following registry keys in a PC with Windows XP SP3

Mon Nov 11 073828 2013 (UTC)
LEGACY_OWEYQUWJMXOM
LEGACY_OWEYQUWJMXOM\0000 - oweyquwjmxom
Mon Dec 2 111033 2013 (UTC)
LEGACY_AWLCYAOB\0000 - awlcyaob
Tue Sep 3 074013 2013 (UTC)
LEGACY_LMBRLLNNYCEB
LEGACY_LMBRLLNNYCEB\0000 - lmbrllnnyceb
Tue Aug 13 114823 2013 (UTC)
LEGACY_DPXFELBTDPRE
LEGACY_DPXFELBTDPRE\0000 - dpxfelbtdpre
Thu Aug 8 130205 2013 (UTC)
LEGACY_76855728
LEGACY_76855728\0000 - 76855728
Thu Aug 8 130015 2013 (UTC)
LEGACY_SDTHOOK
Thu Aug 8 125949 2013 (UTC)
LEGACY_MVORDQVWSCHF
LEGACY_MVORDQVWSCHF\0000 - mvordqvwschf
Wed Aug 14 110816 2013 (UTC)
LEGACY_37608189
LEGACY_37608189\0000 - 37608189
Thu Aug 8 130015 2013 (UTC)
LEGACY_SDTHOOK
Thu Aug 8 125949 2013 (UTC)
LEGACY_MVORDQVWSCHF
LEGACY_MVORDQVWSCHF\0000 - mvordqvwschf

I know that when a anti-rootkit software or sysinternals tool (antirootkit) are executed, create keys like these. These services are not in the registry (I mean there aren't keys in HKLM\System\CurrentControlSe\Services). On the other hand someone told me that meterpreter creates a random service and it has a name like these. Is possible to know certainly if one of these keys are from meterpreter or from any tool? Is possible to know more information about what services created them?

Best Regards and thanks in advance.


   
Quote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
12/10/2015 4:57 pm  

Perhaps if you created a timeline to see what else may have happened around the same time, you may be able to add some context to the data that you posted.


   
ReplyQuote
 Anonymous 6593
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
12/10/2015 8:17 pm  

On the other hand someone told me that meterpreter creates a random service and it has a name like these. Is possible to know certainly if one of these keys are from meterpreter or from any tool?

Not on the basis that you cite. But set up an XP system that you can exploit using meterpreter, and see what traces it leaves.

Or … look through the meterpreter or associated software for any use of 'LEGACY_' in registry names, and if it adds 12 extra characters at the end of that string. While it won't clinch the issue, it could indicate that further experiments are warranted.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
12/10/2015 10:07 pm  

Or … look through the meterpreter or associated software for any use of 'LEGACY_' in registry names, and if it adds 12 extra characters at the end of that string. While it won't clinch the issue, it could indicate that further experiments are warranted.

The "LEGACY_" key names are not the result of meterpreter or other software…they're an artifact generated by XP/2003 when a Windows service is first (and last) launched.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: