Full Disclosure mailing list archives
Re: Microsoft Update Loader msrtwd.exe
From: Joe Stewart <jstewart () lurhq com>
Date: Thu, 2 Sep 2004 10:49:55 -0400
On Thu, 2 Sep 2004 10:16:30 -0400, S.A. Birl wrote:
Does anyone know how it infects?
Primarily via the LSASS exploit over port 445, but variants have been seen with the following additional exploits/password brute-force spreading modules: WebDav Lsass135 Lsass1025 NetBios NTPass Dcom135 Dcom445 Dcom1025 MSSQL Beagle1 Beagle2 MyDoom Optix UPNP NetDevil DameWare Kuang2 Sub7 After the exploit, the bot is copied to the victim using the Windows tftp client.
http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen
Yes, some AV companies identify Rbot as SDbot, even though the two look almost nothing alike. It could be that Rbot was derived from SDbot, but it has grown substantially, and is almost on par with Agobot in terms of functionality. Because there are so many variants, each with a different exe name, it's sometimes hard to keep track of them. Just so it can be indexed for future reference, here is a list of Rbot exe names we've seen during exploit captures, and dates we've seen them spreading over the last 3 months: Dates Seen Exe Name --------------------------------- 2004/06/06 - 2004/06/27 lsrv.exe 2004/06/06 - 2004/08/28 wuapdate16.exe 2004/06/07 - 2004/06/15 sndcfg16.exe 2004/06/07 - 2004/08/30 wuamgrd.exe 2004/06/08 - 2004/06/27 lsac.exe 2004/06/10 - 2004/06/10 winupdos.exe 2004/06/10 - 2004/06/26 dosprmwin.exe 2004/06/11 - 2004/06/11 systemse.exe 2004/06/11 - 2004/08/18 scrgrd.exe 2004/06/13 - 2004/06/13 dude.exe 2004/06/14 - 2004/06/14 esplorer.exe 2004/06/14 - 2004/06/14 landriver32.exe 2004/06/14 - 2004/06/14 mpd.exe 2004/06/14 - 2004/06/14 updatez.exe 2004/06/14 - 2004/06/25 svssshost.exe 2004/06/14 - 2004/08/26 jacfg2.exe 2004/06/17 - 2004/06/26 wuammgr32.exe 2004/06/18 - 2004/06/18 svhost.exe 2004/06/18 - 2004/06/18 wuamgrd32.exe 2004/06/18 - 2004/06/23 wuamagrd.exe 2004/06/20 - 2004/06/20 wloader.exe 2004/06/21 - 2004/08/29 pidserv.exe 2004/06/22 - 2004/09/01 navscan32.exe 2004/06/23 - 2004/06/23 hpsysmon.exe 2004/06/24 - 2004/06/24 winipcfgs.exe 2004/06/24 - 2004/06/24 wwwstream.exe 2004/06/25 - 2004/06/25 lcsrv64.exe 2004/06/25 - 2004/06/25 srvhost.exe 2004/06/25 - 2004/06/25 systemnt.exe 2004/06/25 - 2004/06/25 win64.exe 2004/06/27 - 2004/06/27 win32apisrvr.exe 2004/08/16 - 2004/08/24 soundblaster.exe 2004/08/16 - 2004/08/25 msnmsg.exe 2004/08/16 - 2004/08/27 windowsup.exe 2004/08/16 - 2004/08/29 muamgrd.exe 2004/08/16 - 2004/08/30 winupdater.exe 2004/08/16 - 2004/08/31 win16update.exe 2004/08/16 - 2004/09/01 dllmngr32.exe 2004/08/17 - 2004/08/17 msdev.exe 2004/08/17 - 2004/08/17 svchostc.exe 2004/08/17 - 2004/08/31 javatm.exe 2004/08/17 - 2004/08/31 usbsvc.exe 2004/08/17 - 2004/09/01 msnmsgr.exe 2004/08/18 - 2004/08/18 mnzks.exe 2004/08/18 - 2004/08/18 notepad.exe 2004/08/18 - 2004/08/18 tcpip.exe 2004/08/19 - 2004/08/19 mss3rvices200x.exe 2004/08/19 - 2004/08/19 msservices200x.exe 2004/08/19 - 2004/09/01 iexplore.exe 2004/08/23 - 2004/08/23 msrtwd.exe 2004/08/24 - 2004/08/24 csass.exe 2004/08/24 - 2004/08/24 winxp32.exe 2004/08/24 - 2004/08/26 nmon.exe 2004/08/24 - 2004/08/27 winupdate.exe 2004/08/24 - 2004/09/01 msnplus.exe 2004/08/25 - 2004/08/25 lsas.exe 2004/08/25 - 2004/08/27 dwervdl32.exe 2004/08/26 - 2004/08/26 jutsu.exe 2004/08/26 - 2004/08/26 usb.exe 2004/08/26 - 2004/08/26 win43.exe 2004/08/27 - 2004/08/27 java.exe 2004/08/27 - 2004/08/27 svchost32.exe 2004/08/27 - 2004/08/29 iexplorer.exe 2004/08/27 - 2004/08/30 ati2vid.exe 2004/08/27 - 2004/08/30 svchosts.exe 2004/08/29 - 2004/08/29 server.exe 2004/08/29 - 2004/08/30 nortoanavap.exe 2004/08/29 - 2004/09/02 syswin32.exe 2004/08/30 - 2004/09/02 rsvc32.exe 2004/08/30 - 2004/09/02 vsmons.exe 2004/08/31 - 2004/08/31 winsrv.exe 2004/09/02 - 2004/09/02 sslwina.exe 2004/09/02 - 2004/09/02 winxpini.exe -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft Update Loader msrtwd.exe S.A. Birl (Sep 01)
- Re: Microsoft Update Loader msrtwd.exe James Tucker (Sep 01)
- Re: Microsoft Update Loader msrtwd.exe Jan Muenther (Sep 02)
- Re: Microsoft Update Loader msrtwd.exe Harlan Carvey (Sep 01)
- Re: Microsoft Update Loader msrtwd.exe joe smith (Sep 01)
- Re: Microsoft Update Loader msrtwd.exe Joe Stewart (Sep 02)
- <Possible follow-ups>
- RE: Microsoft Update Loader msrtwd.exe Todd Towles (Sep 01)
- Re: Microsoft Update Loader msrtwd.exe S.A. Birl (Sep 02)
- RE: Microsoft Update Loader msrtwd.exe Todd Towles (Sep 02)
- Re: Microsoft Update Loader msrtwd.exe James Tucker (Sep 01)