| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <014d01c416a1$49483070$0300000a@Accenture.com> From: eflorio at edmaster.it (Elia Florio) Subject: New Win32 Worm regsvc32.exe offers rootkit features Hi list, my Symantec AV Corporate Edition v 8.00.9374 with Scan Engine - 4.1.0.15 and last updates (28/3/2004 rev.50) does not found any worm or virus in your file (regsvc32.exe). Maybe a new worm or a modified old worm. The file try to impersonate real "\WINDOWS\SYSTEM32\regsvr32.exe" with a fake name, but instead is a worm compressed with ASPack 2.12. If you look at import table, the worm seems to use "NetShareEnum", "ShellExecuteA" and winsock API from Windows. I think it's not a full-rootkit as you say, but maybe contains some stealth code because import "EnumProcessModules" from psapi.dll, used to list Windows process list. EF ----- Original Message ----- From: "Markus Koetter" <gumble@....li> To: <full-disclosure@...ts.netsys.com> Sent: Tuesday, March 30, 2004 6:29 PM Subject: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features > Hi, > my girlfriend got a new? worm on her win2k desktop. > The worm is quite aggressive in spreading, netstat -a did not find an > end, i expect it to be a phatbot/agobot4 fork > seems like it invaded on port 1025, i dont know which services were > offerd there, but i saw several connections to port 1025. > > the virus offers rootkit capabilities, file and process hide, kills > firewalls with specific names, and makes the system unusable after some > uptime. > > i installed another firewall renamed the bin to "horst.exe" and got > several connections to > c:\winnt\services32\regsvc32.exe > the file did not exists, neither the process in win2ks taskmanager. > > I was not able to remove the virus, so i plugged the machine of the net > and told her to work offline. > this worked well for ~4h, then the system became unstable and the floppy > disk was screaming like a burning pig. > > I took my new knoppix cd 3.4, booted it, and used the live f-prot > install to scan the system for viruses, the system got the latest > definitions via web, and scanned ... > No viruses were found. > > I mounted the hda1 windows partition and send me the "expected to be the > virus file" on my own computer running linux > the file is called regscv32.exe and has the > md5sum 26a5dbd9add4b16b561cd916675c4439 > > i expect it to be polymorph > > i lack solid skills in disassembler, but i would send this binary to > fill-disc listed ppl asking for it. > > if i fail in my expectations, and this is a standard win32 binary, tell > me (i cant check the md5sum myself, i lack a win32 system), and i will > try to find the right binary again. > > my own conclusion, > i will install debian unstable on her desktop for working, and win2k for > printing on her linux incompatible lexmark printer. > lilo offering 2 entries "write" "print" > > im sick off this ... > > Markus Koetter > > please mail me for the binary, im really intrested in a analysis report. > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists