Hi list,
my Symantec AV Corporate Edition v 8.00.9374
with Scan Engine - 4.1.0.15 and last updates (28/3/2004 rev.50)
does not found any worm or virus in your file (regsvc32.exe).
Maybe a new worm or a modified old worm.
The file try to impersonate real "\WINDOWS\SYSTEM32\regsvr32.exe"
with a fake name, but instead is a worm compressed with ASPack 2.12.
If you look at import table, the worm seems to use
"NetShareEnum", "ShellExecuteA" and winsock API from Windows.
I think it's not a full-rootkit as you say, but maybe contains some stealth
code because import "EnumProcessModules" from psapi.dll, used to list
Windows process list.
EF
----- Original Message -----
From: "Markus Koetter" <gumble@gmx.li>
To: <full-disclosure@lists.netsys.com>
Sent: Tuesday, March 30, 2004 6:29 PM
Subject: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit
features
Hi,
my girlfriend got a new? worm on her win2k desktop.
The worm is quite aggressive in spreading, netstat -a did not find an
end, i expect it to be a phatbot/agobot4 fork
seems like it invaded on port 1025, i dont know which services were
offerd there, but i saw several connections to port 1025.
the virus offers rootkit capabilities, file and process hide, kills
firewalls with specific names, and makes the system unusable after some
uptime.
i installed another firewall renamed the bin to "horst.exe" and got
several connections to
c:\winnt\services32\regsvc32.exe
the file did not exists, neither the process in win2ks taskmanager.
I was not able to remove the virus, so i plugged the machine of the net
and told her to work offline.
this worked well for ~4h, then the system became unstable and the floppy
disk was screaming like a burning pig.
I took my new knoppix cd 3.4, booted it, and used the live f-prot
install to scan the system for viruses, the system got the latest
definitions via web, and scanned ...
No viruses were found.
I mounted the hda1 windows partition and send me the "expected to be the
virus file" on my own computer running linux
the file is called regscv32.exe and has the
md5sum 26a5dbd9add4b16b561cd916675c4439
i expect it to be polymorph
i lack solid skills in disassembler, but i would send this binary to
fill-disc listed ppl asking for it.
if i fail in my expectations, and this is a standard win32 binary, tell
me (i cant check the md5sum myself, i lack a win32 system), and i will
try to find the right binary again.
my own conclusion,
i will install debian unstable on her desktop for working, and win2k for
printing on her linux incompatible lexmark printer.
lilo offering 2 entries "write" "print"
im sick off this ...
Markus Koetter
please mail me for the binary, im really intrested in a analysis report.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
