W32.Servese


Aliases: Win32.HLLC.Servese, W32/Servese.ow, Win32.HLLC.Servese.23552, W32/HLLC-Serves, Win32/Servese.A@mm
Variants: PE_SERVESE.A, W32/HLLW.23552, Win32:Servese, Win32/HLLW.Servese, Win32.HLLC.Servese

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 14 Feb 2002
Damage: High

Characteristics: W32.Servese overwrites executable files with itself when they are opened. It makes a duplicate of the original file before it overwrites. The duplicates have the similar file name but with the .dll extension.

More details about W32.Servese

When the W32.Servese virus is opened, it creates a copy of itself as “\Windows\Services.exe”, then it adds the value “Explorer Services.exe” then it closes. When the W32.Servese program is running as a software program and an executable file is opened, the virus tries to create a duplicate of the executable file. The duplicate has the similar file name as the original, but w/ the .dll extension. Then the virus overwrites the .exe file w/ itself. The W32.Servese virus may exploit the security flaws of the computer. It may particularly disable antivirus and firewall applications. It hides its own processes, files and registry changes using a kernel-mode rootkit. It may also install backdoor applications in the infected computer. These backdoor applications may be used by other worm programs to gain entry in the computer system.

W32.Servese overwrites executable files w/ itself when they’re run. It makes a duplicate of the original file before it changes it. The duplicates have the similar file name but w/ the “.dll extension”. When this virus is opened it creates a duplicate of itself as “WindowsServices.exe”. It then puts the value “Explorer Services.exe” to the registry key. Then, it closes. When the bug is running as a program and an .exe file is opened, the virus tries to make a duplicate of that .exe file. The duplicate has the similar filename as the original, but w/ the “.dll extension”. Then, the virus overwrites the .exe file w/ itself.