Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features

• Previous message: KurruPt - FiLe: "[Full-Disclosure] Re: systrace silently patches full local bypass vulnerability on Linux"
• In reply to: Markus Koetter: "[Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
• Next in thread: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
• Reply: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Tue, 30 Mar 2004 12:33:25 -0500

Looks like IRC Backdoor
check registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run and delete entry with regsvc32.exe
(such as Registration Service = "regsvc32.exe")
Do the same with HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Alex
----- Original Message -----
From: "Markus Koetter" <gumble@gmx.li>
To: <full-disclosure@lists.netsys.com>
Sent: Tuesday, March 30, 2004 11:29 AM
Subject: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features

> Hi,
> my girlfriend got a new? worm on her win2k desktop.
> The worm is quite aggressive in spreading, netstat -a did not find an
> end, i expect it to be a phatbot/agobot4 fork
> seems like it invaded on port 1025, i dont know which services were
> offerd there, but i saw several connections to port 1025.
>
> the virus offers rootkit capabilities, file and process hide, kills
> firewalls with specific names, and makes the system unusable after some
> uptime.
>
> i installed another firewall renamed the bin to "horst.exe" and got
> several connections to
> c:\winnt\services32\regsvc32.exe
> the file did not exists, neither the process in win2ks taskmanager.
>
> I was not able to remove the virus, so i plugged the machine of the net
> and told her to work offline.
> this worked well for ~4h, then the system became unstable and the floppy
> disk was screaming like a burning pig.
>
> I took my new knoppix cd 3.4, booted it, and used the live f-prot
> install to scan the system for viruses, the system got the latest
> definitions via web, and scanned ...
> No viruses were found.
>
> I mounted the hda1 windows partition and send me the "expected to be the
> virus file" on my own computer running linux
> the file is called regscv32.exe and has the
> md5sum 26a5dbd9add4b16b561cd916675c4439
>
> i expect it to be polymorph
>
> i lack solid skills in disassembler, but i would send this binary to
> fill-disc listed ppl asking for it.
>
> if i fail in my expectations, and this is a standard win32 binary, tell
> me (i cant check the md5sum myself, i lack a win32 system), and i will
> try to find the right binary again.
>
> my own conclusion,
> i will install debian unstable on her desktop for working, and win2k for
> printing on her linux incompatible lexmark printer.
> lilo offering 2 entries "write" "print"
>
> im sick off this ...
>
> Markus Koetter
>
> please mail me for the binary, im really intrested in a analysis report.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: KurruPt - FiLe: "[Full-Disclosure] Re: systrace silently patches full local bypass vulnerability on Linux"
• In reply to: Markus Koetter: "[Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
• Next in thread: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
• Reply: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]