[Dshield] Trojan-like behavior

KeithTarrant@spamcop.net KeithTarrant at spamcop.net
Fri Oct 25 20:44:36 GMT 2002


Bob -

A search on www.google.com turned up a link to McAfee's virus dictionary:

http://vil.nai.com/vil/content/v_99756.htm

W32/Gaobot.worm

"This threat can be detected with DATs prior to 4230 with engine 4.1.60 as
"New Backdoor1" if the option to scan with "Program File Heuristics
Scanning" is enabled.

This worm may try to act as an IRC Bot, and to spread through KaZaA and
network shares. When run, the worm tries to contact a site which now
appears to be down, and to grab CD keys for games including Half-Life and
Warcraft III.

The worm then copies itself to the WINDOWS SYSTEM directory and references
itself in the registry so that it will be loaded again at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Config Loader" = sysldr32.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"Config Loader" = sysldr32.exe "

I'll leave it to you to go through the details of whether this is what you
have or not.

If you already ran the
  Housecall.antivirus.com
web based scanner, you could try
  Symantec's security1.norton.com
web based scanner, since some malware interfers with virus scanners.

- Keith

----- Original Message -----
From: "Bob Savage" <bsavage at rnr-inc.com>
To: <list at dshield.org>
Sent: Friday, October 25, 2002 11:10 AM
Subject: [Dshield] Trojan-like behavior


> The discussion on "Friendly Greeting" reminds me of something I found on
> a family members' machine a few weeks ago.
>
> Do any of these names mean anything to anybody in this group?
>
> agobot
> sysldr32.exe
> spoinggg.exe
>
> I was asked to check the machine because the user was getting
> undeliverable notices on emails he hadn't sent.  I discovered
> spoinggg.exe trying to access the internet.  Notes in the object
> properties said it was from "agobot".  Icon beside the file appeared to
> be a cartoon devil.  Subsequently found sysldr32.exe, same icon, same
> file size, property note.  Both files were in WINNT\System32\.  Frankly,
> "sysldr32" sounds official enough that I was a little hesitent to take a
> hammer to it.  Googled all three of these names, also searched the MS
> Knowledge Base and several anti-virus sites, all unsuccessfully.  Turned
> up nothing.
>
> None of this stuff showed up in "Add/Remove Programs".  AdAware and
> Trend Micro didn't care about them.  Sysldr32 was running as a service
> and I had a hard time getting it stopped and deleted.  Spoinggg was a
> little easier.   Also found numerous registry references to sysldr32.
> User has had no further problem and says there has been no adverse
> result from deleting these programs.  Incidentally, the operating system
> (W2K) is fully patched and the anti-virus software is up-to-date.  I
> know because I did all that myself.
>
> Beyond that I couldn't figure out anything.  Anybody seen these or
> anything like this?
>
>
> Bob Savage
>
>





More information about the list mailing list