[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features
- To: Elia Florio <eflorio@xxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] New Win32 Worm regsvc32.exe offers rootkit features
- From: Raymond Dijkxhoorn <raymond@xxxxxxxxxxxxxxx>
- Date: Wed, 31 Mar 2004 00:46:40 +0200 (CEST)
Hi!
> my Symantec AV Corporate Edition v 8.00.9374
> with Scan Engine - 4.1.0.15 and last updates (28/3/2004 rev.50)
> does not found any worm or virus in your file (regsvc32.exe).
> Maybe a new worm or a modified old worm.
The Clam team has added it and it will be pushed in the next DB update:
Date: 30-03-2004 23:16:11 +0200
Original Filename: C:\TEMP\infected\dcc\regsvc32.exe
Reported virus name: Unknown Virus
Has been reviewed by: Christoph Cordes
Submission added: Yes (as Worm.Gaobot.6)
> The file try to impersonate real "\WINDOWS\SYSTEM32\regsvr32.exe"
> with a fake name, but instead is a worm compressed with ASPack 2.12.
> If you look at import table, the worm seems to use
> "NetShareEnum", "ShellExecuteA" and winsock API from Windows.
>
> I think it's not a full-rootkit as you say, but maybe contains some stealth
> code because import "EnumProcessModules" from psapi.dll, used to list
> Windows process list.
Its Phatbot. New variant, one of the zillion variants around :)
Bye,
Raymond.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html