Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: [Dshield] Odd things occuring on TCP 135.
.

  • To: "General DShield Discussion List" <[EMAIL PROTECTED]>
  • Subject: Re: [Dshield] Odd things occuring on TCP 135.
  • From: "Micheal Patterson" <[EMAIL PROTECTED]>
  • Date: Wed, 1 Oct 2003 17:38:46 -0500
  • Old-x-envelope-to: [EMAIL PROTECTED]
  • References: <[EMAIL PROTECTED]>
  • Reply-to: General DShield Discussion List <[EMAIL PROTECTED]>
  • Sender: [EMAIL PROTECTED]
.
 
Norton describes this as a variant of hacktool, F-Secure describes it as a
variant of Agobot. I've sent a sample to [EMAIL PROTECTED]

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600


----- Original Message ----- 
From: "NOD32 Technical support (Mark)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 01, 2003 5:18 PM
Subject: RE: [Dshield] Odd things occuring on TCP 135.


> Dear Michael,
>
> if possible, please send us the file regldr.exe for analysis.
> If it is actually a virus, we will add in as short time as possible.
>
>
>
> Best regards,
>
> Mark
> [EMAIL PROTECTED]
>
> ESET Software Technical Support
> www.nod32.com
>
> =========================================
> NOD32 ... protecting your digital worlds!
> =========================================
>
>
>
> -----Original Message-----
> From: Micheal Patterson [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, September 30, 2003 3:59 AM
> To: [EMAIL PROTECTED]
> Subject: [Dshield] Odd things occuring on TCP 135.
> Importance: High
>
>
> This morning, I got a call from one of our laptop users complaining that
> when she tries to send mail, the system reports that it's out of memory.
> Since this laptop hasn't been used in some time, I went over and took the
> station off line. Too many things have come down the pipe for me to want
to
> leave this thing on the network. I immediately suspected that it hadn't
been
> patched, and was correct. I hooked it up on a local test lan and started
> monitoring it's traffic to see if it was attempting to propagate anything.
> Sure enough, it was hammering tcp port 135 on our neighboring class c's.
We
> filter traffic both inbound and outbound at our border so it didn't pass
> outside of our network and all other hosts have been verified as being at
> current patch levels so this is an isolated incident. I checked add/remote
> programs and found that it wasn't viewable, similar to the Blaster /
Welchia
> issue corrupting DCOM.
>
> I at first suspected blaster or one of it's variants, no luck. Then I
> checked for Welchia, again, nothing. I scanned it from local clean CD
copies
> of Norton and McAfee with current defs as well as ran the currently
> available version of stinger against it. Still nothing turned up. When we
> checked the process list, we found one called regloadr.exe and killed that
> process. Once dead, the system returned to normal operation with no
further
> attempts to scan tcp 135. Add / Remove programs was again available and
the
> system appeared to be running normally after that. When the registry was
> scanned, there were 2 entries pertaining to regloadr.exe, both were
removed,
> and the regloadr.exe file deleted. The system is still running on the test
> lan with it's traffic being monitored for further testing. We would
normally
> blow this system away and reinstall from media, but we want to know just
> what is going on with it.
>
> I placed a copy of the exe on one of our *nix boxes and ran current
versions
> of f-prot, sweep and clamav against it and still turned up nothing. A
> hexdump turns up very little. It appears to be checking for tftpd, So, at
> this point, we're not sure if this is a completely unknown virus or if it
is
> a small portion of a larger issue. Either way, we would like to know just
> what this thing is. I've done a google search for regloadr.exe and turned
up
> nothing. MS has nothing about this filename in their knowledge base. We
then
> attempted to check for it's MD5 against various search engines, but
again,we
> turned up nothing. It's MD5 checksum (regloadr.exe) is
> 1b96e6ab6c25417bedb3dcb4d3167935 if anyone is interested.
>
> We can't identify just what this thing is. Has anyone seen this file
before?
>
> Thanks.
>
> --
>
> Micheal Patterson
> Network Administration
> Cancer Care Network
> 405-917-0600
>
>
> _______________________________________________
> list mailing list
> [EMAIL PROTECTED]
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
>
> __________ NOD32 1.521 (20030928) Information __________
>
> This message was checked by NOD32 Antivirus System.
>   part000.txt - is OK
>
> http://www.nod32.com
>
>
> _______________________________________________
> list mailing list
> [EMAIL PROTECTED]
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>
>

_______________________________________________
list mailing list
[EMAIL PROTECTED]
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.