lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <037301c4167d$1be14e10$ea2052d1@TREES.local>
From: alexs at indefense.com (Alex)
Subject: New Win32 Worm regsvc32.exe offers rootkit features

Looks like IRC Backdoor
check registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run and delete entry with regsvc32.exe
(such as Registration Service = "regsvc32.exe")
Do the same with HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Alex
----- Original Message ----- 
From: "Markus Koetter" <gumble@....li>
To: <full-disclosure@...ts.netsys.com>
Sent: Tuesday, March 30, 2004 11:29 AM
Subject: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features


> Hi,
> my girlfriend got a new? worm on her win2k desktop.
> The worm is quite aggressive in spreading, netstat -a did not find an
> end, i expect it to be a phatbot/agobot4 fork
> seems like it invaded on port 1025, i dont know which services were
> offerd there, but i saw several connections to port 1025.
> 
> the virus offers rootkit capabilities, file and process hide, kills
> firewalls with specific names, and makes the system unusable after some
> uptime.
> 
> i installed another firewall renamed the bin to "horst.exe" and got
> several connections to
> c:\winnt\services32\regsvc32.exe
> the file did not exists, neither the process in win2ks taskmanager.
> 
> I was not able to remove the virus, so i plugged the machine of the net
> and told her to work offline.
> this worked well for ~4h, then the system became unstable and the floppy
> disk was screaming like a burning pig.
> 
> I took my new knoppix cd 3.4, booted it, and used the live f-prot
> install to scan the system for viruses, the system got the latest
> definitions via web, and scanned ...
> No viruses were found.
> 
> I mounted the hda1 windows partition and send me the "expected to be the
> virus file" on my own computer running linux
> the file is called regscv32.exe and has the 
> md5sum 26a5dbd9add4b16b561cd916675c4439 
> 
> i expect it to be polymorph
> 
> i lack solid skills in disassembler, but i would send this binary to
> fill-disc listed ppl asking for it.
> 
> if i fail in my expectations, and this is a standard win32 binary, tell
> me (i cant check the md5sum myself, i lack a win32 system), and i will
> try to find the right binary again.
> 
> my own conclusion,
> i will install debian unstable on her desktop for working, and win2k for
> printing on her linux incompatible lexmark printer.
> lilo offering 2 entries "write" "print" 
> 
> im sick off this ...
> 
> Markus Koetter
> 
> please mail me for the binary, im really intrested in a analysis report.
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ