So rename it to a txt file. Just let everyone know. Or zip it maybe. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of S.A. Birl Sent: Thursday, September 02, 2004 9:17 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
(Un)Fortunately, I am not allowed to distribue the exe. Does anyone know how it infects? On Sep 1, Harlan Carvey ([EMAIL PROTECTED]) typed: FD: Where in the Registry did you find it? Which key(s)? FD: What about this makes you think it's a Trojan? Did FD: you run fport/openports and find it listening on a FD: port? Where does the Registry entry point to within FD: the file system? Since the file is an .exe file, did FD: you check it for version information? FD: FD: Since filenames are the easiest thing about a file to FD: change, is there any information other than simply the FD: name that you can provide? There were about 6 Registry enties in the HKLM section. I dont have the compromised machine, so I cannot tell you the exact locations. We ran TCPview on the compromised machine and watched it connect to an IRC server. On Sep 1, Todd Towles ([EMAIL PROTECTED]) typed: FD: I see one other post about it here.. FD: FD: http://www.dslreports.com/forum/remark,10987569~mode=flat FD: FD: Sounds like malware to me. Did you send copies to any AV compines? That URL is the same one I came across yesterday via Google. A copy of it has been sent to Symantec. On Sep 1, Joe Stewart <[EMAIL PROTECTED]> typed: FD: We saw an Rbot variant spreading on August 23 with the same exe FD: name. I've also seen other Rbot variants using a similar registry FD: key name. Kaspersky does a pretty good job of spotting unknown Rbot FD: variants with a generic signature "Backdoor.Rbot.gen". FD: FD: -Joe http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html