Re: Behavior of Randex variant.

From: P. Qwan (prahqwan_at_hotmail.com)
Date: 04/07/04 

Date: Wed, 07 Apr 2004 19:33:58 GMT

"regedlt.exe", with an "l" as in "lamb", between the "d" and the "t" is the
correct spelling. If I do a file search with that spelling, it finds the
file in one of the NT subdirectories.

"Phil Weldon" <notdisclosed@example.com> wrote in message
news:oNLcc.18858$lt2.3816@newsread1.news.pas.earthlink.net...
> Is it possible that "regedlt.exe" is a typo? It is difficult to search
> for information if the file name is wrong (unless it is jdgmgr.exe, which
> has references on the internet that are so numerous that almost any
spelling
> will get a few hits.) The typo thing was preventing one poster from
> figuring out that Visual Basic version 6.0 runtime files were needed.
> --
> Phil Weldon, pweldonatmindjumpdotcom
> For communication,
> replace "at" with the 'at sign'
> replace "mindjump" with "mindspring."
> replace "dot" with "."
>
> "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
> news:efGWAOFHEHA.4088@TK2MSFTNGP10.phx.gbl...
> > You may have multiple problems, and they may not all be what are classed
> as
> > viruses.
> >
> > I've read another thread by you elsewhere, and I wonder whether this
> > regedlt.exe isn't commercial spyware, rather than a virus.
> >
> > If you can get through some successive boots, including opening IE--try
> > setting the home page to blank and setting all security and search
options
> > to the defaults--and not get a virus flagged by McAfee with current
> > definitions, then I'd recommend getting HijackThis and posting to one of
> the
> > spyware forums to see if you can get the regedlt.exe thing sorted out.
> >
> > www.aumha.org's freeware list is a good place to get HijackThis, and
some
> > guidance about how to use it and where to post the logs.
> >
> > I've read Symantec's descriptions of what they claim are what McAfee
calls
> > w32/randbot (they actually have two completely different critters they
> > describe that way--google on randbot and symantec!)--and they just don't
> > resemble this regedlt thing, as far as I can see.
> >
> >
> >
> > "P. Qwan" <prahqwan@hotmail.com> wrote in message
> > news:0%Gcc.2751$hd3.1864@nwrddc03.gnilink.net...
> > > Update - the latest MacAfee virus definitions (as of 4/6), running in
> safe
> > > mode, found and removed "backdooratv" and "w23randbot.worm". Then
was
> > > able to boot up normally. However, the very next boot up, same
> problem:
> > > laptop gets through log-in screen, "loading personal settings" screen,
> and
> > > welcome wave, then it hangs with hour-glass cursor and blue screen
> > > (Windows
> > > background color). Able to bring up task manager at this point and
> verify
> > > that regedlt.exe is running as a process.
> > >
> > > Boot into safe mode again, and run MacAfee. This time it doesn't find
> > > anything...
> > >
> > >
> > > "P. Qwan" <prahqwan@hotmail.com> wrote in message
> > > news:eQocc.2345$bd4.205@nwrddc01.gnilink.net...
> > >> I intially posted a message in the 2000/General news group, because I
> > >> thought this problem was software related. It turns out that it's
> > > possibly
> > >> a new variant of Randex. Here is some information I copied from the
> > > thread
> > >> in 2000/General
> > >>
> > >> **************************************************
> > >>
> > >> Norman.no are the only one that responded to the virus with the
> following
> > >> sandbox analysis:
> > >>
> > >> [ General information ]
> > >>
> > >> * File length: 52224 bytes.
> > >> * Total emulation cycles required: 6847347.
> > >>
> > >> [ Changes to filesystem ]
> > >> * Creates file C:\WINDOWS\SYSTEM\regedlt.exe.
> > >>
> > >> [ Changes to registry ]
> > >> * Creates value "tsx"="regedlt.exe" in key
> > >> "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
> > >> * Creates key
> > >> "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce".
> > >> * Creates value "tsx"="regedlt.exe" in key
> > >> "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce".
> > >> * Creates value "tsx"="regedlt.exe" in key
> > >> "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
> > >> * Creates value "tsx"="regedlt.exe" in key
> > >> "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
> > >> * Creates value "tsx"="regedlt.exe" in key
> > >> "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce".
> > >>
> > >> [ Network services ]
> > >> * Attempts to resolve name "streethawkz.ma.cx".
> > >> * Connect port 6667 [DGRAM], IP 193.75.75.100.
> > >> * Connects to IRC Server.
> > >> * Connect port 113 [DGRAM], IP 0.0.0.0.
> > >>
> > >> [ Process/window information ]
> > >> * Creates a mutex tsk.
> > >>
> > >> This is what Symantec sees it as:
> > >>
> > >> Subject: Virus Found NAV
> > >>
> > >> Alert: Virus Found
> > >> Computer: CFL2
> > >> File Path: C:\WINNT\system32\regedlt.exe Virus Name: W32.Randex.gen
> > >> Date: 04/05/04
> > >> Time: 02:48:07 PM
> > >> User: Administrator
> > >> Severity: Critical
> > >> Source: Norton AntiVirus Corporate Edition
> > >>
> > >>
> > >> *************************************************************
> > >>
> > >> I first saw the problem on a Dell Laptop running Win2000. It has
> MacAfee
> > >> virus scanner, but the virus definition files were not up-to-date. It
> is
> > >> a
> > >> personal use lap top that connects to the Internet via ATT Dial-Up.
> > >>
> > >> When "regedlt.exe" keys are present in the registry, the laptop hangs
> > > during
> > >> boot-up, I assume because at that point it has no internet
connection.
> > >> It
> > >> gets past the log-in screen, the "loading personal preferences
screen",
> > > and
> > >> the "ta-da" welcome. Then it stops with a blue screen (Windows
> > >> background
> > >> color) and an hour-glass cursor. I am able to Ctrl-Alt-Delete and
> bring
> > > up
> > >> Task Manager. One of the processes listed is "regedlt.exe".
> > >>
> > >> I can shut down and boot up in Safe Mode at this point, delete all
the
> > >> "regedlt.exe" keys, and it will boot up normally. Then this is how
it
> > > goes:
> > >>
> > >> 1. If I clean the registry of the regedlt.exe keys, boot up,
connect
> to
> > >> ATT, and do not start Internet Explorer, then the keys are not
created
> > >> again. I can then
> > >> reboot with no problem.
> > >>
> > >> 2. If I start IE and navigate to any page, then close IE down and
> check
> > > the
> > >> registry, the regedlt.exe keys are not there. But if I reboot at
that
> > >> point, the regedlt.exe keys are added, and it hangs.
> > >>
> > >> So it seems to be activated by IE somehow. I am not a computer
> > >> professional, so I could be missing something.
> > >>
> > >> I installed a new copy of MacAfee on this laptop, downloaded the
latest
> > >> virus definitions (as of 4/5) and it didn't detect any viruses. Of
> > > course,
> > >> this is with the regedlt.exe keys deleted, because it wont boot up
when
> > > they
> > >> are present.
> > >>
> > >> P. Qwan
> > >>
> > >>
> > >>
> > >
> > >
> >
> >
>
>

Quantcast