Home page logo

fulldisclosure logo Full Disclosure mailing list archives

New Win32 Worm regsvc32.exe offers rootkit features
From: Markus Koetter <gumble () gmx li>
Date: Tue, 30 Mar 2004 18:29:29 +0200

my girlfriend got a new? worm on her win2k desktop.
The worm is quite aggressive in spreading, netstat -a did not find an
end, i expect it to be a phatbot/agobot4 fork
seems like it invaded on port 1025, i dont know which services were
offerd there, but i saw several connections to port 1025.

the virus offers rootkit capabilities, file and process hide, kills
firewalls with specific names, and makes the system unusable after some

i installed another firewall renamed the bin to "horst.exe" and got
several connections to
the file did not exists, neither the process in win2ks taskmanager.

I was not able to remove the virus, so i plugged the machine of the net
and told her to work offline.
this worked well for ~4h, then the system became unstable and the floppy
disk was screaming like a burning pig.

I took my new knoppix cd 3.4, booted it, and used the live f-prot
install to scan the system for viruses, the system got the latest
definitions via web, and scanned ...
No viruses were found.

I mounted the hda1 windows partition and send me the "expected to be the
virus file" on my own computer running linux
the file is called regscv32.exe and has the 
md5sum 26a5dbd9add4b16b561cd916675c4439 

i expect it to be polymorph

i lack solid skills in disassembler, but i would send this binary to
fill-disc listed ppl asking for it.

if i fail in my expectations, and this is a standard win32 binary, tell
me (i cant check the md5sum myself, i lack a win32 system), and i will
try to find the right binary again.

my own conclusion,
i will install debian unstable on her desktop for working, and win2k for
printing on her linux incompatible lexmark printer.
lilo offering 2 entries "write" "print" 

im sick off this ...

Markus Koetter

please mail me for the binary, im really intrested in a analysis report.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]