Full Disclosure mailing list archives

Re: New Win32 Worm regsvc32.exe offers rootkit features

From: "Alex" <alexs () indefense com>
Date: Tue, 30 Mar 2004 12:33:25 -0500

Looks like IRC Backdoor
check registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run and delete entry with regsvc32.exe
(such as Registration Service = "regsvc32.exe")
Do the same with HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Alex
----- Original Message ----- 
From: "Markus Koetter" <gumble () gmx li>
To: <full-disclosure () lists netsys com>
Sent: Tuesday, March 30, 2004 11:29 AM
Subject: [Full-disclosure] New Win32 Worm regsvc32.exe offers rootkit features

Hi,
my girlfriend got a new? worm on her win2k desktop.
The worm is quite aggressive in spreading, netstat -a did not find an
end, i expect it to be a phatbot/agobot4 fork
seems like it invaded on port 1025, i dont know which services were
offerd there, but i saw several connections to port 1025.

the virus offers rootkit capabilities, file and process hide, kills
firewalls with specific names, and makes the system unusable after some
uptime.

i installed another firewall renamed the bin to "horst.exe" and got
several connections to
c:\winnt\services32\regsvc32.exe
the file did not exists, neither the process in win2ks taskmanager.

I was not able to remove the virus, so i plugged the machine of the net
and told her to work offline.
this worked well for ~4h, then the system became unstable and the floppy
disk was screaming like a burning pig.

I took my new knoppix cd 3.4, booted it, and used the live f-prot
install to scan the system for viruses, the system got the latest
definitions via web, and scanned ...
No viruses were found.

I mounted the hda1 windows partition and send me the "expected to be the
virus file" on my own computer running linux
the file is called regscv32.exe and has the 
md5sum 26a5dbd9add4b16b561cd916675c4439 

i expect it to be polymorph

i lack solid skills in disassembler, but i would send this binary to
fill-disc listed ppl asking for it.

if i fail in my expectations, and this is a standard win32 binary, tell
me (i cant check the md5sum myself, i lack a win32 system), and i will
try to find the right binary again.

my own conclusion,
i will install debian unstable on her desktop for working, and win2k for
printing on her linux incompatible lexmark printer.
lilo offering 2 entries "write" "print" 

im sick off this ...

Markus Koetter

please mail me for the binary, im really intrested in a analysis report.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

New Win32 Worm regsvc32.exe offers rootkit features Markus Koetter (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Raymond Dijkxhoorn (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Alex (Mar 30)
  - RE: New Win32 Worm regsvc32.exe offers rootkit features Aditya, ALD [Aditya Lalit Deshmukh] (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Elia Florio (Mar 30)
  - Re: New Win32 Worm regsvc32.exe offers rootkit features Raymond Dijkxhoorn (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features K.Seyhan (Mar 30)
  - Re: New Win32 Worm regsvc32.exe offers rootkit features Markus Koetter (Mar 31)
    - Security Hole in HTTP (RFC1945) - Browser-Spoofing Ron Stiemer (Mar 31)