lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <014d01c416a1$49483070$0300000a@Accenture.com>
From: eflorio at edmaster.it (Elia Florio)
Subject: New Win32 Worm regsvc32.exe offers rootkit features

Hi list,
my Symantec AV Corporate Edition v 8.00.9374
with Scan Engine - 4.1.0.15 and last updates (28/3/2004 rev.50)
does not found any worm or virus in your file (regsvc32.exe).
Maybe a new worm or a modified old worm.

The file try to impersonate real "\WINDOWS\SYSTEM32\regsvr32.exe"
with a fake name, but instead is a worm compressed with ASPack 2.12.
If you look at import table, the worm seems to use
"NetShareEnum", "ShellExecuteA" and winsock API from Windows.

I think it's not a full-rootkit as you say, but maybe contains some stealth
code because import "EnumProcessModules" from psapi.dll, used to list
Windows process list.

EF

----- Original Message ----- 
From: "Markus Koetter" <gumble@....li>
To: <full-disclosure@...ts.netsys.com>
Sent: Tuesday, March 30, 2004 6:29 PM
Subject: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit
features


> Hi,
> my girlfriend got a new? worm on her win2k desktop.
> The worm is quite aggressive in spreading, netstat -a did not find an
> end, i expect it to be a phatbot/agobot4 fork
> seems like it invaded on port 1025, i dont know which services were
> offerd there, but i saw several connections to port 1025.
>
> the virus offers rootkit capabilities, file and process hide, kills
> firewalls with specific names, and makes the system unusable after some
> uptime.
>
> i installed another firewall renamed the bin to "horst.exe" and got
> several connections to
> c:\winnt\services32\regsvc32.exe
> the file did not exists, neither the process in win2ks taskmanager.
>
> I was not able to remove the virus, so i plugged the machine of the net
> and told her to work offline.
> this worked well for ~4h, then the system became unstable and the floppy
> disk was screaming like a burning pig.
>
> I took my new knoppix cd 3.4, booted it, and used the live f-prot
> install to scan the system for viruses, the system got the latest
> definitions via web, and scanned ...
> No viruses were found.
>
> I mounted the hda1 windows partition and send me the "expected to be the
> virus file" on my own computer running linux
> the file is called regscv32.exe and has the
> md5sum 26a5dbd9add4b16b561cd916675c4439
>
> i expect it to be polymorph
>
> i lack solid skills in disassembler, but i would send this binary to
> fill-disc listed ppl asking for it.
>
> if i fail in my expectations, and this is a standard win32 binary, tell
> me (i cant check the md5sum myself, i lack a win32 system), and i will
> try to find the right binary again.
>
> my own conclusion,
> i will install debian unstable on her desktop for working, and win2k for
> printing on her linux incompatible lexmark printer.
> lilo offering 2 entries "write" "print"
>
> im sick off this ...
>
> Markus Koetter
>
> please mail me for the binary, im really intrested in a analysis report.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ