mailing list archives
Re: New Win32 Worm regsvc32.exe offers rootkit features
From: Raymond Dijkxhoorn <raymond () prolocation net>
Date: Wed, 31 Mar 2004 00:46:40 +0200 (CEST)
my Symantec AV Corporate Edition v 8.00.9374
with Scan Engine - 126.96.36.199 and last updates (28/3/2004 rev.50)
does not found any worm or virus in your file (regsvc32.exe).
Maybe a new worm or a modified old worm.
The Clam team has added it and it will be pushed in the next DB update:
Date: 30-03-2004 23:16:11 +0200
Original Filename: C:\TEMP\infected\dcc\regsvc32.exe
Reported virus name: Unknown Virus
Has been reviewed by: Christoph Cordes
Submission added: Yes (as Worm.Gaobot.6)
The file try to impersonate real "\WINDOWS\SYSTEM32\regsvr32.exe"
with a fake name, but instead is a worm compressed with ASPack 2.12.
If you look at import table, the worm seems to use
"NetShareEnum", "ShellExecuteA" and winsock API from Windows.
I think it's not a full-rootkit as you say, but maybe contains some stealth
code because import "EnumProcessModules" from psapi.dll, used to list
Windows process list.
Its Phatbot. New variant, one of the zillion variants around :)
Full-Disclosure - We believe in it.