[Dshield] Odd things occuring on TCP 135.

Micheal Patterson micheal at tsgincorporated.com
Wed Oct 1 22:38:46 GMT 2003

Norton describes this as a variant of hacktool, F-Secure describes it as a
variant of Agobot. I've sent a sample to samples at nod32.com


Micheal Patterson
Network Administration
Cancer Care Network

----- Original Message ----- 
From: "NOD32 Technical support (Mark)" <zeman at eset.sk>
To: <micheal at tsgincorporated.com>
Sent: Wednesday, October 01, 2003 5:18 PM
Subject: RE: [Dshield] Odd things occuring on TCP 135.

> Dear Michael,
> if possible, please send us the file regldr.exe for analysis.
> If it is actually a virus, we will add in as short time as possible.
> Best regards,
> Mark
> zeman at eset.sk
> ESET Software Technical Support
> www.nod32.com
> =========================================
> NOD32 ... protecting your digital worlds!
> =========================================
> -----Original Message-----
> From: Micheal Patterson [mailto:micheal at tsgincorporated.com]
> Sent: Tuesday, September 30, 2003 3:59 AM
> To: zeman at eset.sk
> Subject: [Dshield] Odd things occuring on TCP 135.
> Importance: High
> This morning, I got a call from one of our laptop users complaining that
> when she tries to send mail, the system reports that it's out of memory.
> Since this laptop hasn't been used in some time, I went over and took the
> station off line. Too many things have come down the pipe for me to want
> leave this thing on the network. I immediately suspected that it hadn't
> patched, and was correct. I hooked it up on a local test lan and started
> monitoring it's traffic to see if it was attempting to propagate anything.
> Sure enough, it was hammering tcp port 135 on our neighboring class c's.
> filter traffic both inbound and outbound at our border so it didn't pass
> outside of our network and all other hosts have been verified as being at
> current patch levels so this is an isolated incident. I checked add/remote
> programs and found that it wasn't viewable, similar to the Blaster /
> issue corrupting DCOM.
> I at first suspected blaster or one of it's variants, no luck. Then I
> checked for Welchia, again, nothing. I scanned it from local clean CD
> of Norton and McAfee with current defs as well as ran the currently
> available version of stinger against it. Still nothing turned up. When we
> checked the process list, we found one called regloadr.exe and killed that
> process. Once dead, the system returned to normal operation with no
> attempts to scan tcp 135. Add / Remove programs was again available and
> system appeared to be running normally after that. When the registry was
> scanned, there were 2 entries pertaining to regloadr.exe, both were
> and the regloadr.exe file deleted. The system is still running on the test
> lan with it's traffic being monitored for further testing. We would
> blow this system away and reinstall from media, but we want to know just
> what is going on with it.
> I placed a copy of the exe on one of our *nix boxes and ran current
> of f-prot, sweep and clamav against it and still turned up nothing. A
> hexdump turns up very little. It appears to be checking for tftpd, So, at
> this point, we're not sure if this is a completely unknown virus or if it
> a small portion of a larger issue. Either way, we would like to know just
> what this thing is. I've done a google search for regloadr.exe and turned
> nothing. MS has nothing about this filename in their knowledge base. We
> attempted to check for it's MD5 against various search engines, but
> turned up nothing. It's MD5 checksum (regloadr.exe) is
> 1b96e6ab6c25417bedb3dcb4d3167935 if anyone is interested.
> We can't identify just what this thing is. Has anyone seen this file
> Thanks.
> --
> Micheal Patterson
> Network Administration
> Cancer Care Network
> 405-917-0600
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> __________ NOD32 1.521 (20030928) Information __________
> This message was checked by NOD32 Antivirus System.
>   part000.txt - is OK
> http://www.nod32.com
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list