E
Elko Tchernev
Last week I needed remote execution on several computers, and in
trying out different programs, I ran Beyond Logic's BeyondExec (similar
to PsExec). After I was done, I restored the McAfee VirusScan settings
to deny access to remote administration programs. However, I didn't
bother deleting the server part rexesvr.exe from \WINDOWS\system32.
Since then, every morning at 6am, McAfee denies two accesses to
rexesvr.exe by wmiprvse.exe from user NT AUTHORITY\NETWORK SERVICE.
What could the source of these accesses be? Is it a virus/trojan
probing to access the computer? Or could it be that Network Service
remembers every component it has used and tries regularly to check on
them? Either one doesn't seem very plausible to me - could there be some
other explanation? Any ideas how to isolate the cause of these accesses?
Here are the relevant log entries of McAfee:
08.9.2007 ?. 06:00:04 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
08.9.2007 ?. 06:00:20 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
09.9.2007 ?. 06:00:41 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
09.9.2007 ?. 06:01:08 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
10.9.2007 ?. 06:00:15 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
10.9.2007 ?. 06:00:34 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
11.9.2007 ?. 06:06:59 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
11.9.2007 ?. 06:07:19 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
trying out different programs, I ran Beyond Logic's BeyondExec (similar
to PsExec). After I was done, I restored the McAfee VirusScan settings
to deny access to remote administration programs. However, I didn't
bother deleting the server part rexesvr.exe from \WINDOWS\system32.
Since then, every morning at 6am, McAfee denies two accesses to
rexesvr.exe by wmiprvse.exe from user NT AUTHORITY\NETWORK SERVICE.
What could the source of these accesses be? Is it a virus/trojan
probing to access the computer? Or could it be that Network Service
remembers every component it has used and tries regularly to check on
them? Either one doesn't seem very plausible to me - could there be some
other explanation? Any ideas how to isolate the cause of these accesses?
Here are the relevant log entries of McAfee:
08.9.2007 ?. 06:00:04 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
08.9.2007 ?. 06:00:20 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
09.9.2007 ?. 06:00:41 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
09.9.2007 ?. 06:01:08 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
10.9.2007 ?. 06:00:15 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
10.9.2007 ?. 06:00:34 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
11.9.2007 ?. 06:06:59 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)
11.9.2007 ?. 06:07:19 No Action Taken NT AUTHORITY\NETWORK SERVICE
wmiprvse.exe C:\WINDOWS\system32\rexesvr.exe RemAdm-BERS (Remote Admin Tool)