lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <9E97F0997FB84D42B221B9FB203EFA270DC973@dc1ms2.msad.brookshires.net>
From: toddtowles at brookshires.com (Todd Towles)
Subject: Microsoft Update Loader  msrtwd.exe

So rename it to a txt file. Just let everyone know. Or zip it maybe. 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of S.A. Birl
Sent: Thursday, September 02, 2004 9:17 AM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe

(Un)Fortunately, I am not allowed to distribue the exe.

Does anyone know how it infects?


On Sep 1, Harlan Carvey (nospam-keydet89@...oo.com.ns) typed:

FD:   Where in the Registry did you find it?  Which key(s)?
FD:   What about this makes you think it's a Trojan?  Did
FD:   you run fport/openports and find it listening on a
FD:   port?  Where does the Registry entry point to within
FD:   the file system?  Since the file is an .exe file, did
FD:   you check it for version information?
FD:
FD:   Since filenames are the easiest thing about a file to
FD:   change, is there any information other than simply the
FD:   name that you can provide?


There were about 6 Registry enties in the HKLM section.  I dont have the
compromised machine, so I cannot tell you the exact locations.

We ran TCPview on the compromised machine and watched it connect to an
IRC server.




On Sep 1, Todd Towles (nospam-toddtowles@...okshires.com.ns) typed:

FD:   I see one other post about it here..
FD:
FD:    http://www.dslreports.com/forum/remark,10987569~mode=flat
FD:
FD:   Sounds like malware to me. Did you send copies to any AV compines?



That URL is the same one I came across yesterday via Google.

A copy of it has been sent to Symantec.



On Sep 1, Joe Stewart <nospam-jstewart@...hq.com.ns> typed:

FD:   We saw an Rbot variant spreading on August 23 with the same exe
FD:   name. I've also seen other Rbot variants using a similar registry
FD:   key name. Kaspersky does a pretty good job of spotting unknown
Rbot
FD:   variants with a generic signature "Backdoor.Rbot.gen".
FD:
FD:   -Joe


http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ