Full Disclosure mailing list archives
Re: Re: Microsoft Update Loader msrtwd.exe
From: Harlan Carvey <keydet89 () yahoo com>
Date: Fri, 3 Sep 2004 09:50:59 -0700 (PDT)
When I first posted, I didnt have the EXE. When I did receive a copy of the file, I was told I cannot
sent it outside of the network. Besides, Ive been on this list long enough to know that questions like mine are asked from time to time.
If that's really the case, you should have known what the response would be. When you first posted, you seemed to have absolutely nothing to go on, even the file itself. As Nick and others have pointed out several times, filenames are next to useless. In your original post, you said, "It's listed in the Registry as "Microsoft Update Loader"", but you couldn't say *where* in the Registry it was listed as such. Are we then to assume that you were referring to the Run key? Which hive? Better yet, if you know that it's in the Registry, why not simply state which key it's located in?
From one of your responses in the thread: "There were about 6 Registry enties in the HKLM section. I dont have the compromised machine, so I cannot tell you the exact locations. We ran TCPview on the compromised machine and watched it connect to an IRC server.
Okay, so you didn't *have* the compromised machine when I asked the question, but at one point you and someone else were sitting at the console of that system running TCPView, and at no point could anyone export the Registry entries to a text file or even simply write down the keys. Since you eventually were able to get the .exe file itself, did you run strings on it? Check it for file version info (some IRC bots, such as the russiantopz bot, simply use mIRC32.exe as it's core)? You said you've been on the list for a while, so I guess one question to ask you is, did you do *anything* besides post to the list? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Microsoft Update Loader msrtwd.exe Joe Stewart (Sep 01)
- <Possible follow-ups>
- Re: Microsoft Update Loader msrtwd.exe Feher Tamas (Sep 02)
- Re: Re: Microsoft Update Loader msrtwd.exe Über GuidoZ (Sep 03)
- Re: Re: Microsoft Update Loader msrtwd.exe S.A. Birl (Sep 03)
- Re: Re: Microsoft Update Loader msrtwd.exe Über GuidoZ (Sep 03)
- Re: Re: Microsoft Update Loader msrtwd.exe Harlan Carvey (Sep 03)