Full Disclosure mailing list archives
Re: New Win32 Worm regsvc32.exe offers rootkit features
From: Raymond Dijkxhoorn <raymond () prolocation net>
Date: Wed, 31 Mar 2004 00:46:40 +0200 (CEST)
Hi!
my Symantec AV Corporate Edition v 8.00.9374 with Scan Engine - 4.1.0.15 and last updates (28/3/2004 rev.50) does not found any worm or virus in your file (regsvc32.exe). Maybe a new worm or a modified old worm.
The Clam team has added it and it will be pushed in the next DB update: Date: 30-03-2004 23:16:11 +0200 Original Filename: C:\TEMP\infected\dcc\regsvc32.exe Reported virus name: Unknown Virus Has been reviewed by: Christoph Cordes Submission added: Yes (as Worm.Gaobot.6)
The file try to impersonate real "\WINDOWS\SYSTEM32\regsvr32.exe" with a fake name, but instead is a worm compressed with ASPack 2.12. If you look at import table, the worm seems to use "NetShareEnum", "ShellExecuteA" and winsock API from Windows. I think it's not a full-rootkit as you say, but maybe contains some stealth code because import "EnumProcessModules" from psapi.dll, used to list Windows process list.
Its Phatbot. New variant, one of the zillion variants around :) Bye, Raymond. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New Win32 Worm regsvc32.exe offers rootkit features Markus Koetter (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Raymond Dijkxhoorn (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Alex (Mar 30)
- RE: New Win32 Worm regsvc32.exe offers rootkit features Aditya, ALD [Aditya Lalit Deshmukh] (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Elia Florio (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Raymond Dijkxhoorn (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features K.Seyhan (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Markus Koetter (Mar 31)
- Security Hole in HTTP (RFC1945) - Browser-Spoofing Ron Stiemer (Mar 31)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Markus Koetter (Mar 31)