Full Disclosure mailing list archives
RE: Microsoft Update Loader msrtwd.exe
From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 2 Sep 2004 10:33:22 -0500
So rename it to a txt file. Just let everyone know. Or zip it maybe. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of S.A. Birl Sent: Thursday, September 02, 2004 9:17 AM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Microsoft Update Loader msrtwd.exe (Un)Fortunately, I am not allowed to distribue the exe. Does anyone know how it infects? On Sep 1, Harlan Carvey (nospam-keydet89 () yahoo com ns) typed: FD: Where in the Registry did you find it? Which key(s)? FD: What about this makes you think it's a Trojan? Did FD: you run fport/openports and find it listening on a FD: port? Where does the Registry entry point to within FD: the file system? Since the file is an .exe file, did FD: you check it for version information? FD: FD: Since filenames are the easiest thing about a file to FD: change, is there any information other than simply the FD: name that you can provide? There were about 6 Registry enties in the HKLM section. I dont have the compromised machine, so I cannot tell you the exact locations. We ran TCPview on the compromised machine and watched it connect to an IRC server. On Sep 1, Todd Towles (nospam-toddtowles () brookshires com ns) typed: FD: I see one other post about it here.. FD: FD: http://www.dslreports.com/forum/remark,10987569~mode=flat FD: FD: Sounds like malware to me. Did you send copies to any AV compines? That URL is the same one I came across yesterday via Google. A copy of it has been sent to Symantec. On Sep 1, Joe Stewart <nospam-jstewart () lurhq com ns> typed: FD: We saw an Rbot variant spreading on August 23 with the same exe FD: name. I've also seen other Rbot variants using a similar registry FD: key name. Kaspersky does a pretty good job of spotting unknown Rbot FD: variants with a generic signature "Backdoor.Rbot.gen". FD: FD: -Joe http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft Update Loader msrtwd.exe S.A. Birl (Sep 01)
- Re: Microsoft Update Loader msrtwd.exe James Tucker (Sep 01)
- Re: Microsoft Update Loader msrtwd.exe Jan Muenther (Sep 02)
- Re: Microsoft Update Loader msrtwd.exe Harlan Carvey (Sep 01)
- Re: Microsoft Update Loader msrtwd.exe joe smith (Sep 01)
- Re: Microsoft Update Loader msrtwd.exe Joe Stewart (Sep 02)
- <Possible follow-ups>
- RE: Microsoft Update Loader msrtwd.exe Todd Towles (Sep 01)
- Re: Microsoft Update Loader msrtwd.exe S.A. Birl (Sep 02)
- RE: Microsoft Update Loader msrtwd.exe Todd Towles (Sep 02)
- Re: Microsoft Update Loader msrtwd.exe James Tucker (Sep 01)