Re: Behavior of Randex variant.
From: Phil Weldon (notdisclosed_at_example.com)
Date: Wed, 07 Apr 2004 04:51:32 GMT
Is it possible that "regedlt.exe" is a typo? It is difficult to search
for information if the file name is wrong (unless it is jdgmgr.exe, which
has references on the internet that are so numerous that almost any spelling
will get a few hits.) The typo thing was preventing one poster from
figuring out that Visual Basic version 6.0 runtime files were needed.
-- Phil Weldon, pweldonatmindjumpdotcom For communication, replace "at" with the 'at sign' replace "mindjump" with "mindspring." replace "dot" with "." "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message news:efGWAOFHEHA.4088@TK2MSFTNGP10.phx.gbl... > You may have multiple problems, and they may not all be what are classed as > viruses. > > I've read another thread by you elsewhere, and I wonder whether this > regedlt.exe isn't commercial spyware, rather than a virus. > > If you can get through some successive boots, including opening IE--try > setting the home page to blank and setting all security and search options > to the defaults--and not get a virus flagged by McAfee with current > definitions, then I'd recommend getting HijackThis and posting to one of the > spyware forums to see if you can get the regedlt.exe thing sorted out. > > www.aumha.org's freeware list is a good place to get HijackThis, and some > guidance about how to use it and where to post the logs. > > I've read Symantec's descriptions of what they claim are what McAfee calls > w32/randbot (they actually have two completely different critters they > describe that way--google on randbot and symantec!)--and they just don't > resemble this regedlt thing, as far as I can see. > > > > "P. Qwan" <email@example.com> wrote in message > news:0%Gcc.firstname.lastname@example.org... > > Update - the latest MacAfee virus definitions (as of 4/6), running in safe > > mode, found and removed "backdooratv" and "w23randbot.worm". Then was > > able to boot up normally. However, the very next boot up, same problem: > > laptop gets through log-in screen, "loading personal settings" screen, and > > welcome wave, then it hangs with hour-glass cursor and blue screen > > (Windows > > background color). Able to bring up task manager at this point and verify > > that regedlt.exe is running as a process. > > > > Boot into safe mode again, and run MacAfee. This time it doesn't find > > anything... > > > > > > "P. Qwan" <email@example.com> wrote in message > > news:eQocc.firstname.lastname@example.org... > >> I intially posted a message in the 2000/General news group, because I > >> thought this problem was software related. It turns out that it's > > possibly > >> a new variant of Randex. Here is some information I copied from the > > thread > >> in 2000/General > >> > >> ************************************************** > >> > >> Norman.no are the only one that responded to the virus with the following > >> sandbox analysis: > >> > >> [ General information ] > >> > >> * File length: 52224 bytes. > >> * Total emulation cycles required: 6847347. > >> > >> [ Changes to filesystem ] > >> * Creates file C:\WINDOWS\SYSTEM\regedlt.exe. > >> > >> [ Changes to registry ] > >> * Creates value "tsx"="regedlt.exe" in key > >> "HKLM\Software\Microsoft\Windows\CurrentVersion\Run". > >> * Creates key > >> "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce". > >> * Creates value "tsx"="regedlt.exe" in key > >> "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce". > >> * Creates value "tsx"="regedlt.exe" in key > >> "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices". > >> * Creates value "tsx"="regedlt.exe" in key > >> "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". > >> * Creates value "tsx"="regedlt.exe" in key > >> "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce". > >> > >> [ Network services ] > >> * Attempts to resolve name "streethawkz.ma.cx". > >> * Connect port 6667 [DGRAM], IP 188.8.131.52. > >> * Connects to IRC Server. > >> * Connect port 113 [DGRAM], IP 0.0.0.0. > >> > >> [ Process/window information ] > >> * Creates a mutex tsk. > >> > >> This is what Symantec sees it as: > >> > >> Subject: Virus Found NAV > >> > >> Alert: Virus Found > >> Computer: CFL2 > >> File Path: C:\WINNT\system32\regedlt.exe Virus Name: W32.Randex.gen > >> Date: 04/05/04 > >> Time: 02:48:07 PM > >> User: Administrator > >> Severity: Critical > >> Source: Norton AntiVirus Corporate Edition > >> > >> > >> ************************************************************* > >> > >> I first saw the problem on a Dell Laptop running Win2000. It has MacAfee > >> virus scanner, but the virus definition files were not up-to-date. It is > >> a > >> personal use lap top that connects to the Internet via ATT Dial-Up. > >> > >> When "regedlt.exe" keys are present in the registry, the laptop hangs > > during > >> boot-up, I assume because at that point it has no internet connection. > >> It > >> gets past the log-in screen, the "loading personal preferences screen", > > and > >> the "ta-da" welcome. Then it stops with a blue screen (Windows > >> background > >> color) and an hour-glass cursor. I am able to Ctrl-Alt-Delete and bring > > up > >> Task Manager. One of the processes listed is "regedlt.exe". > >> > >> I can shut down and boot up in Safe Mode at this point, delete all the > >> "regedlt.exe" keys, and it will boot up normally. Then this is how it > > goes: > >> > >> 1. If I clean the registry of the regedlt.exe keys, boot up, connect to > >> ATT, and do not start Internet Explorer, then the keys are not created > >> again. I can then > >> reboot with no problem. > >> > >> 2. If I start IE and navigate to any page, then close IE down and check > > the > >> registry, the regedlt.exe keys are not there. But if I reboot at that > >> point, the regedlt.exe keys are added, and it hangs. > >> > >> So it seems to be activated by IE somehow. I am not a computer > >> professional, so I could be missing something. > >> > >> I installed a new copy of MacAfee on this laptop, downloaded the latest > >> virus definitions (as of 4/5) and it didn't detect any viruses. Of > > course, > >> this is with the regedlt.exe keys deleted, because it wont boot up when > > they > >> are present. > >> > >> P. Qwan > >> > >> > >> > > > > > >