Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: New Win32 Worm regsvc32.exe offers rootkit features
From: "Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh () online gateway technolabs net>
Date: Wed, 31 Mar 2004 09:32:33 +0530





Looks like IRC Backdoor
check registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run and delete 
entry with regsvc32.exe
(such as Registration Service = "regsvc32.exe")
Do the same with 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices


the port 1025 is good used for binding the task schuduler, is this doing something with the task schuduler.  there are 
plenty of naughty things to do there ....

-aditya


________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]