Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
google came back with a forum to do with sdbot; however, the file was listed as Morphine. Morphine is not a virus or malware in itself, it's a tool for PE binary en- cryption, self-decrypting on execution. It actually places the whole source image into the .data section of a newly produced file. Basically, this should hinder your virus scanner from recognizing what this binary really is, since it only matches on the pattern for the Morphine engine itself. See http://rootkit.host.sk Regards, J. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
(Un)Fortunately, I am not allowed to distribue the exe. Does anyone know how it infects? On Sep 1, Harlan Carvey ([EMAIL PROTECTED]) typed: FD: Where in the Registry did you find it? Which key(s)? FD: What about this makes you think it's a Trojan? Did FD: you run fport/openports and find it listening on a FD: port? Where does the Registry entry point to within FD: the file system? Since the file is an .exe file, did FD: you check it for version information? FD: FD: Since filenames are the easiest thing about a file to FD: change, is there any information other than simply the FD: name that you can provide? There were about 6 Registry enties in the HKLM section. I dont have the compromised machine, so I cannot tell you the exact locations. We ran TCPview on the compromised machine and watched it connect to an IRC server. On Sep 1, Todd Towles ([EMAIL PROTECTED]) typed: FD: I see one other post about it here.. FD: FD:http://www.dslreports.com/forum/remark,10987569~mode=flat FD: FD: Sounds like malware to me. Did you send copies to any AV compines? That URL is the same one I came across yesterday via Google. A copy of it has been sent to Symantec. On Sep 1, Joe Stewart [EMAIL PROTECTED] typed: FD: We saw an Rbot variant spreading on August 23 with the same exe FD: name. I've also seen other Rbot variants using a similar registry FD: key name. Kaspersky does a pretty good job of spotting unknown Rbot FD: variants with a generic signature Backdoor.Rbot.gen. FD: FD: -Joe http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
So rename it to a txt file. Just let everyone know. Or zip it maybe. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of S.A. Birl Sent: Thursday, September 02, 2004 9:17 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe (Un)Fortunately, I am not allowed to distribue the exe. Does anyone know how it infects? On Sep 1, Harlan Carvey ([EMAIL PROTECTED]) typed: FD: Where in the Registry did you find it? Which key(s)? FD: What about this makes you think it's a Trojan? Did FD: you run fport/openports and find it listening on a FD: port? Where does the Registry entry point to within FD: the file system? Since the file is an .exe file, did FD: you check it for version information? FD: FD: Since filenames are the easiest thing about a file to FD: change, is there any information other than simply the FD: name that you can provide? There were about 6 Registry enties in the HKLM section. I dont have the compromised machine, so I cannot tell you the exact locations. We ran TCPview on the compromised machine and watched it connect to an IRC server. On Sep 1, Todd Towles ([EMAIL PROTECTED]) typed: FD: I see one other post about it here.. FD: FD:http://www.dslreports.com/forum/remark,10987569~mode=flat FD: FD: Sounds like malware to me. Did you send copies to any AV compines? That URL is the same one I came across yesterday via Google. A copy of it has been sent to Symantec. On Sep 1, Joe Stewart [EMAIL PROTECTED] typed: FD: We saw an Rbot variant spreading on August 23 with the same exe FD: name. I've also seen other Rbot variants using a similar registry FD: key name. Kaspersky does a pretty good job of spotting unknown Rbot FD: variants with a generic signature Backdoor.Rbot.gen. FD: FD: -Joe http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
On Thu, 2 Sep 2004 10:16:30 -0400, S.A. Birl wrote: Does anyone know how it infects? Primarily via the LSASS exploit over port 445, but variants have been seen with the following additional exploits/password brute-force spreading modules: WebDav Lsass135 Lsass1025 NetBios NTPass Dcom135 Dcom445 Dcom1025 MSSQL Beagle1 Beagle2 MyDoom Optix UPNP NetDevil DameWare Kuang2 Sub7 After the exploit, the bot is copied to the victim using the Windows tftp client. http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen Yes, some AV companies identify Rbot as SDbot, even though the two look almost nothing alike. It could be that Rbot was derived from SDbot, but it has grown substantially, and is almost on par with Agobot in terms of functionality. Because there are so many variants, each with a different exe name, it's sometimes hard to keep track of them. Just so it can be indexed for future reference, here is a list of Rbot exe names we've seen during exploit captures, and dates we've seen them spreading over the last 3 months: Dates Seen Exe Name - 2004/06/06 - 2004/06/27 lsrv.exe 2004/06/06 - 2004/08/28 wuapdate16.exe 2004/06/07 - 2004/06/15 sndcfg16.exe 2004/06/07 - 2004/08/30 wuamgrd.exe 2004/06/08 - 2004/06/27 lsac.exe 2004/06/10 - 2004/06/10 winupdos.exe 2004/06/10 - 2004/06/26 dosprmwin.exe 2004/06/11 - 2004/06/11 systemse.exe 2004/06/11 - 2004/08/18 scrgrd.exe 2004/06/13 - 2004/06/13 dude.exe 2004/06/14 - 2004/06/14 esplorer.exe 2004/06/14 - 2004/06/14 landriver32.exe 2004/06/14 - 2004/06/14 mpd.exe 2004/06/14 - 2004/06/14 updatez.exe 2004/06/14 - 2004/06/25 svssshost.exe 2004/06/14 - 2004/08/26 jacfg2.exe 2004/06/17 - 2004/06/26 wuammgr32.exe 2004/06/18 - 2004/06/18 svhost.exe 2004/06/18 - 2004/06/18 wuamgrd32.exe 2004/06/18 - 2004/06/23 wuamagrd.exe 2004/06/20 - 2004/06/20 wloader.exe 2004/06/21 - 2004/08/29 pidserv.exe 2004/06/22 - 2004/09/01 navscan32.exe 2004/06/23 - 2004/06/23 hpsysmon.exe 2004/06/24 - 2004/06/24 winipcfgs.exe 2004/06/24 - 2004/06/24 wwwstream.exe 2004/06/25 - 2004/06/25 lcsrv64.exe 2004/06/25 - 2004/06/25 srvhost.exe 2004/06/25 - 2004/06/25 systemnt.exe 2004/06/25 - 2004/06/25 win64.exe 2004/06/27 - 2004/06/27 win32apisrvr.exe 2004/08/16 - 2004/08/24 soundblaster.exe 2004/08/16 - 2004/08/25 msnmsg.exe 2004/08/16 - 2004/08/27 windowsup.exe 2004/08/16 - 2004/08/29 muamgrd.exe 2004/08/16 - 2004/08/30 winupdater.exe 2004/08/16 - 2004/08/31 win16update.exe 2004/08/16 - 2004/09/01 dllmngr32.exe 2004/08/17 - 2004/08/17 msdev.exe 2004/08/17 - 2004/08/17 svchostc.exe 2004/08/17 - 2004/08/31 javatm.exe 2004/08/17 - 2004/08/31 usbsvc.exe 2004/08/17 - 2004/09/01 msnmsgr.exe 2004/08/18 - 2004/08/18 mnzks.exe 2004/08/18 - 2004/08/18 notepad.exe 2004/08/18 - 2004/08/18 tcpip.exe 2004/08/19 - 2004/08/19 mss3rvices200x.exe 2004/08/19 - 2004/08/19 msservices200x.exe 2004/08/19 - 2004/09/01 iexplore.exe 2004/08/23 - 2004/08/23 msrtwd.exe 2004/08/24 - 2004/08/24 csass.exe 2004/08/24 - 2004/08/24 winxp32.exe 2004/08/24 - 2004/08/26 nmon.exe 2004/08/24 - 2004/08/27 winupdate.exe 2004/08/24 - 2004/09/01 msnplus.exe 2004/08/25 - 2004/08/25 lsas.exe 2004/08/25 - 2004/08/27 dwervdl32.exe 2004/08/26 - 2004/08/26 jutsu.exe 2004/08/26 - 2004/08/26 usb.exe 2004/08/26 - 2004/08/26 win43.exe 2004/08/27 - 2004/08/27 java.exe 2004/08/27 - 2004/08/27 svchost32.exe 2004/08/27 - 2004/08/29 iexplorer.exe 2004/08/27 - 2004/08/30 ati2vid.exe 2004/08/27 - 2004/08/30 svchosts.exe 2004/08/29 - 2004/08/29 server.exe 2004/08/29 - 2004/08/30 nortoanavap.exe 2004/08/29 - 2004/09/02 syswin32.exe 2004/08/30 - 2004/09/02 rsvc32.exe 2004/08/30 - 2004/09/02 vsmons.exe 2004/08/31 - 2004/08/31 winsrv.exe 2004/09/02 - 2004/09/02 sslwina.exe 2004/09/02 - 2004/09/02 winxpini.exe -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
I see one other post about it here.. http://www.dslreports.com/forum/remark,10987569~mode=flat Sounds like malware to me. Did you send copies to any AV compines? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of S.A. Birl Sent: Wednesday, September 01, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Microsoft Update Loader msrtwd.exe Hello all: Recently discovered a trojan(? - possibly a virus) called msrtwd.exe. It's listed in the Registry as Microsoft Update Loader Does anyone know anything about this? Google doesnt offer much. Thanks Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems AdministratorComputer Services Temple University *******+******== ==** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Microsoft Update Loader msrtwd.exe
Hello all: Recently discovered a trojan(? - possibly a virus) called msrtwd.exe. It's listed in the Registry as Microsoft Update Loader Does anyone know anything about this? Google doesnt offer much. Thanks Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems AdministratorComputer Services Temple University *******+******** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
On Wed, 1 Sep 2004 15:08:56, Scott Birl wrote: Recently discovered a trojan(? - possibly a virus) called msrtwd.exe. It's listed in the Registry as Microsoft Update Loader Does anyone know anything about this? Google doesnt offer much. We saw an Rbot variant spreading on August 23 with the same exe name. I've also seen other Rbot variants using a similar registry key name. Kaspersky does a pretty good job of spotting unknown Rbot variants with a generic signature Backdoor.Rbot.gen. -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
google came back with a forum to do with sdbot; however, the file was listed as Morphine. I saw a copy of one of the recent worms which had generated a very large number of exe's which all had previously uncaptured names. If it's not being picked up by your virus scanner, send it to their team, get another and run a scan over the computer from a known clean source, such as a BartPE bootdisk or a remote uncompromised box. On Wed, 1 Sep 2004 15:08:56 -0400 (EDT), S.A. Birl [EMAIL PROTECTED] wrote: Hello all: Recently discovered a trojan(? - possibly a virus) called msrtwd.exe. It's listed in the Registry as Microsoft Update Loader Does anyone know anything about this? Google doesnt offer much. Thanks Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems AdministratorComputer Services Temple University *******+******** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
Recently discovered a trojan(? - possibly a virus) called msrtwd.exe. It's listed in the Registry as Microsoft Update Loader Does anyone know anything about this? Google doesnt offer much. Where in the Registry did you find it? Which key(s)? What about this makes you think it's a Trojan? Did you run fport/openports and find it listening on a port? Where does the Registry entry point to within the file system? Since the file is an .exe file, did you check it for version information? Since filenames are the easiest thing about a file to change, is there any information other than simply the name that you can provide? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
You can run it through http://www.virustotal.com and if it catch anything. J S.A. Birl wrote: Hello all: Recently discovered a trojan(? - possibly a virus) called msrtwd.exe. It's listed in the Registry as Microsoft Update Loader Does anyone know anything about this? Google doesnt offer much. Thanks Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems AdministratorComputer Services Temple University *******+******** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html