mailing list archives
New Win32 Worm regsvc32.exe offers rootkit features
From: Markus Koetter <gumble () gmx li>
Date: Tue, 30 Mar 2004 18:29:29 +0200
my girlfriend got a new? worm on her win2k desktop.
The worm is quite aggressive in spreading, netstat -a did not find an
end, i expect it to be a phatbot/agobot4 fork
seems like it invaded on port 1025, i dont know which services were
offerd there, but i saw several connections to port 1025.
the virus offers rootkit capabilities, file and process hide, kills
firewalls with specific names, and makes the system unusable after some
i installed another firewall renamed the bin to "horst.exe" and got
several connections to
the file did not exists, neither the process in win2ks taskmanager.
I was not able to remove the virus, so i plugged the machine of the net
and told her to work offline.
this worked well for ~4h, then the system became unstable and the floppy
disk was screaming like a burning pig.
I took my new knoppix cd 3.4, booted it, and used the live f-prot
install to scan the system for viruses, the system got the latest
definitions via web, and scanned ...
No viruses were found.
I mounted the hda1 windows partition and send me the "expected to be the
virus file" on my own computer running linux
the file is called regscv32.exe and has the
i expect it to be polymorph
i lack solid skills in disassembler, but i would send this binary to
fill-disc listed ppl asking for it.
if i fail in my expectations, and this is a standard win32 binary, tell
me (i cant check the md5sum myself, i lack a win32 system), and i will
try to find the right binary again.
my own conclusion,
i will install debian unstable on her desktop for working, and win2k for
printing on her linux incompatible lexmark printer.
lilo offering 2 entries "write" "print"
im sick off this ...
please mail me for the binary, im really intrested in a analysis report.
Full-Disclosure - We believe in it.
- New Win32 Worm regsvc32.exe offers rootkit features Markus Koetter (Mar 30)