| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: alexs at indefense.com (Alex) Subject: New Win32 Worm regsvc32.exe offers rootkit features Looks like IRC Backdoor check registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and delete entry with regsvc32.exe (such as Registration Service = "regsvc32.exe") Do the same with HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Alex ----- Original Message ----- From: "Markus Koetter" <gumble@....li> To: <full-disclosure@...ts.netsys.com> Sent: Tuesday, March 30, 2004 11:29 AM Subject: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features > Hi, > my girlfriend got a new? worm on her win2k desktop. > The worm is quite aggressive in spreading, netstat -a did not find an > end, i expect it to be a phatbot/agobot4 fork > seems like it invaded on port 1025, i dont know which services were > offerd there, but i saw several connections to port 1025. > > the virus offers rootkit capabilities, file and process hide, kills > firewalls with specific names, and makes the system unusable after some > uptime. > > i installed another firewall renamed the bin to "horst.exe" and got > several connections to > c:\winnt\services32\regsvc32.exe > the file did not exists, neither the process in win2ks taskmanager. > > I was not able to remove the virus, so i plugged the machine of the net > and told her to work offline. > this worked well for ~4h, then the system became unstable and the floppy > disk was screaming like a burning pig. > > I took my new knoppix cd 3.4, booted it, and used the live f-prot > install to scan the system for viruses, the system got the latest > definitions via web, and scanned ... > No viruses were found. > > I mounted the hda1 windows partition and send me the "expected to be the > virus file" on my own computer running linux > the file is called regscv32.exe and has the > md5sum 26a5dbd9add4b16b561cd916675c4439 > > i expect it to be polymorph > > i lack solid skills in disassembler, but i would send this binary to > fill-disc listed ppl asking for it. > > if i fail in my expectations, and this is a standard win32 binary, tell > me (i cant check the md5sum myself, i lack a win32 system), and i will > try to find the right binary again. > > my own conclusion, > i will install debian unstable on her desktop for working, and win2k for > printing on her linux incompatible lexmark printer. > lilo offering 2 entries "write" "print" > > im sick off this ... > > Markus Koetter > > please mail me for the binary, im really intrested in a analysis report. > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists