Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: New Win32 Worm regsvc32.exe offers rootkit features
From: Raymond Dijkxhoorn <raymond () prolocation net>
Date: Wed, 31 Mar 2004 00:46:40 +0200 (CEST)


my Symantec AV Corporate Edition v 8.00.9374
with Scan Engine - and last updates (28/3/2004 rev.50)
does not found any worm or virus in your file (regsvc32.exe).
Maybe a new worm or a modified old worm.

The Clam team has added it and it will be pushed in the next DB update:

Date: 30-03-2004 23:16:11 +0200 
 Original Filename: C:\TEMP\infected\dcc\regsvc32.exe 
 Reported virus name: Unknown Virus
 Has been reviewed by: Christoph Cordes
 Submission added: Yes (as Worm.Gaobot.6)

The file try to impersonate real "\WINDOWS\SYSTEM32\regsvr32.exe"
with a fake name, but instead is a worm compressed with ASPack 2.12.
If you look at import table, the worm seems to use
"NetShareEnum", "ShellExecuteA" and winsock API from Windows.

I think it's not a full-rootkit as you say, but maybe contains some stealth
code because import "EnumProcessModules" from psapi.dll, used to list
Windows process list.

Its Phatbot. New variant, one of the zillion variants around :)


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]