Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features

You got infected with a irc zombie


removal of the bot is pretty easy.

just remove the following regkeys:
Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\\Generic Service
Process
Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Generic Service Process

and remove the following entrys from your
%windir%\system32\drivers\etc\hosts file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com

reboot

and delete %windir%\system32\regsvc32.exe

done!

Kerem



----- Original Message ----- 
From: "Markus Koetter" <gumble@gmx.li>
To: <full-disclosure@lists.netsys.com>
Sent: Tuesday, March 30, 2004 6:29 PM
Subject: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit
features


> Hi,
> my girlfriend got a new? worm on her win2k desktop.
> The worm is quite aggressive in spreading, netstat -a did not find an
> end, i expect it to be a phatbot/agobot4 fork
> seems like it invaded on port 1025, i dont know which services were
> offerd there, but i saw several connections to port 1025.
>
> the virus offers rootkit capabilities, file and process hide, kills
> firewalls with specific names, and makes the system unusable after some
> uptime.
>
> i installed another firewall renamed the bin to "horst.exe" and got
> several connections to
> c:\winnt\services32\regsvc32.exe
> the file did not exists, neither the process in win2ks taskmanager.
>
> I was not able to remove the virus, so i plugged the machine of the net
> and told her to work offline.
> this worked well for ~4h, then the system became unstable and the floppy
> disk was screaming like a burning pig.
>
> I took my new knoppix cd 3.4, booted it, and used the live f-prot
> install to scan the system for viruses, the system got the latest
> definitions via web, and scanned ...
> No viruses were found.
>
> I mounted the hda1 windows partition and send me the "expected to be the
> virus file" on my own computer running linux
> the file is called regscv32.exe and has the
> md5sum 26a5dbd9add4b16b561cd916675c4439
>
> i expect it to be polymorph
>
> i lack solid skills in disassembler, but i would send this binary to
> fill-disc listed ppl asking for it.
>
> if i fail in my expectations, and this is a standard win32 binary, tell
> me (i cant check the md5sum myself, i lack a win32 system), and i will
> try to find the right binary again.
>
> my own conclusion,
> i will install debian unstable on her desktop for working, and win2k for
> printing on her linux incompatible lexmark printer.
> lilo offering 2 entries "write" "print"
>
> im sick off this ...
>
> Markus Koetter
>
> please mail me for the binary, im really intrested in a analysis report.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html