Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features

2004-03-30 Thread Raymond Dijkxhoorn
Hi! > my girlfriend got a new? worm on her win2k desktop. > The worm is quite aggressive in spreading, netstat -a did not find an > end, i expect it to be a phatbot/agobot4 fork > seems like it invaded on port 1025, i dont know which services were > offerd there, but i saw several connections to p

Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features

2004-03-30 Thread Alex
Looks like IRC Backdoor check registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and delete entry with regsvc32.exe (such as Registration Service = "regsvc32.exe") Do the same with HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Alex - Original Message - From: "Markus

Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features

2004-03-30 Thread Elia Florio
Hi list, my Symantec AV Corporate Edition v 8.00.9374 with Scan Engine - 4.1.0.15 and last updates (28/3/2004 rev.50) does not found any worm or virus in your file (regsvc32.exe). Maybe a new worm or a modified old worm. The file try to impersonate real "\WINDOWS\SYSTEM32\regsvr32.exe" with a fake

Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features

2004-03-30 Thread Raymond Dijkxhoorn
Hi! > my Symantec AV Corporate Edition v 8.00.9374 > with Scan Engine - 4.1.0.15 and last updates (28/3/2004 rev.50) > does not found any worm or virus in your file (regsvc32.exe). > Maybe a new worm or a modified old worm. The Clam team has added it and it will be pushed in the next DB update:

Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features

2004-03-30 Thread K.Seyhan
You got infected with a irc zombie removal of the bot is pretty easy. just remove the following regkeys: Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\\Generic Service Process Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Generic Service Process and remove the following entrys

RE: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features

2004-03-30 Thread Aditya, ALD [Aditya Lalit Deshmukh]
> > > Looks like IRC Backdoor > check registry: > HKLM\Software\Microsoft\Windows\CurrentVersion\Run and delete > entry with regsvc32.exe > (such as Registration Service = "regsvc32.exe") > Do the same with > HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices the port 1025 is good u

Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features

2004-03-31 Thread Markus Koetter
Am Mi, den 31.03.2004 schrieb K.Seyhan um 02:04: > You got infected with a irc zombie > as i expected :) can somebody give me dns port channel passwd ? else i have to carry my linux box to her apparment and log myself i want to talk about netiquette with the owner / check spreading Markus i du