[Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features
From: Markus Koetter (gumble_at_gmx.li)
Date: 03/30/04
- Previous message: Clayton Kossmeyer: "Re: Addressing Cisco Security Issues"
- Next in thread: Raymond Dijkxhoorn: "Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
- Reply: Raymond Dijkxhoorn: "Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
- Reply: Alex: "Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
- Reply: Elia Florio: "Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
- Reply: K.Seyhan: "Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Tue, 30 Mar 2004 18:29:29 +0200
Hi,
my girlfriend got a new? worm on her win2k desktop.
The worm is quite aggressive in spreading, netstat -a did not find an
end, i expect it to be a phatbot/agobot4 fork
seems like it invaded on port 1025, i dont know which services were
offerd there, but i saw several connections to port 1025.
the virus offers rootkit capabilities, file and process hide, kills
firewalls with specific names, and makes the system unusable after some
uptime.
i installed another firewall renamed the bin to "horst.exe" and got
several connections to
c:\winnt\services32\regsvc32.exe
the file did not exists, neither the process in win2ks taskmanager.
I was not able to remove the virus, so i plugged the machine of the net
and told her to work offline.
this worked well for ~4h, then the system became unstable and the floppy
disk was screaming like a burning pig.
I took my new knoppix cd 3.4, booted it, and used the live f-prot
install to scan the system for viruses, the system got the latest
definitions via web, and scanned ...
No viruses were found.
I mounted the hda1 windows partition and send me the "expected to be the
virus file" on my own computer running linux
the file is called regscv32.exe and has the
md5sum 26a5dbd9add4b16b561cd916675c4439
i expect it to be polymorph
i lack solid skills in disassembler, but i would send this binary to
fill-disc listed ppl asking for it.
if i fail in my expectations, and this is a standard win32 binary, tell
me (i cant check the md5sum myself, i lack a win32 system), and i will
try to find the right binary again.
my own conclusion,
i will install debian unstable on her desktop for working, and win2k for
printing on her linux incompatible lexmark printer.
lilo offering 2 entries "write" "print"
im sick off this ...
Markus Koetter
please mail me for the binary, im really intrested in a analysis report.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Clayton Kossmeyer: "Re: Addressing Cisco Security Issues"
- Next in thread: Raymond Dijkxhoorn: "Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
- Reply: Raymond Dijkxhoorn: "Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
- Reply: Alex: "Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
- Reply: Elia Florio: "Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
- Reply: K.Seyhan: "Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
