Re: Re: Microsoft Update Loader msrtwd.exe

[Harlan Carvey <keydet89 () yahoo com>]

> When I first posted, I didnt have the EXE. When I
> did receive a copy of  the file, I was told I cannot

> sent it outside of the network. 
>
> Besides, Ive been on this list long enough to know 
> that questions like mine are asked from time to 
> time. 

If that's really the case, you should have known what
the response would be.  When you first posted, you
seemed to have absolutely nothing to go on, even the
file itself.  As Nick and others have pointed out
several times, filenames are next to useless.

In your original post, you said, "It's listed in the
Registry as "Microsoft Update Loader"", but you
couldn't say *where* in the Registry it was listed as
such.  Are we then to assume that you were referring
to the Run key?  Which hive?  Better yet, if you know
that it's in the Registry, why not simply state which
key it's located in?

> From one of your responses in the thread:
> "There were about 6 Registry enties in the HKLM 
> section. I dont have the compromised machine, so I
> cannot tell you the exact locations. 
>
> We ran TCPview on the compromised machine and 
> watched it connect to an IRC server. 

Okay, so you didn't *have* the compromised machine
when I asked the question, but at one point you and
someone else were sitting at the console of that
system running TCPView, and at no point could anyone
export the Registry entries to a text file or even
simply write down the keys.  

Since you eventually were able to get the .exe file
itself, did you run strings on it?  Check it for file
version info (some IRC bots, such as the russiantopz
bot, simply use mIRC32.exe as it's core)?

You said you've been on the list for a while, so I
guess one question to ask you is, did you do
*anything* besides post to the list?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html