Full Disclosure mailing list archives
RE: New Win32 Worm regsvc32.exe offers rootkit features
From: "Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh () online gateway technolabs net>
Date: Wed, 31 Mar 2004 09:32:33 +0530
Looks like IRC Backdoor check registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and delete entry with regsvc32.exe (such as Registration Service = "regsvc32.exe") Do the same with HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
the port 1025 is good used for binding the task schuduler, is this doing something with the task schuduler. there are plenty of naughty things to do there .... -aditya ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New Win32 Worm regsvc32.exe offers rootkit features Markus Koetter (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Raymond Dijkxhoorn (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Alex (Mar 30)
- RE: New Win32 Worm regsvc32.exe offers rootkit features Aditya, ALD [Aditya Lalit Deshmukh] (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Elia Florio (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Raymond Dijkxhoorn (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features K.Seyhan (Mar 30)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Markus Koetter (Mar 31)
- Security Hole in HTTP (RFC1945) - Browser-Spoofing Ron Stiemer (Mar 31)
- Re: New Win32 Worm regsvc32.exe offers rootkit features Markus Koetter (Mar 31)