[Dshield] Odd things occuring on TCP 135.

Micheal Patterson micheal at tsgincorporated.com
Wed Oct 1 22:38:46 GMT 2003


Norton describes this as a variant of hacktool, F-Secure describes it as a
variant of Agobot. I've sent a sample to samples at nod32.com

--

Micheal Patterson
Network Administration
Cancer Care Network
405-917-0600


----- Original Message ----- 
From: "NOD32 Technical support (Mark)" <zeman at eset.sk>
To: <micheal at tsgincorporated.com>
Sent: Wednesday, October 01, 2003 5:18 PM
Subject: RE: [Dshield] Odd things occuring on TCP 135.


> Dear Michael,
>
> if possible, please send us the file regldr.exe for analysis.
> If it is actually a virus, we will add in as short time as possible.
>
>
>
> Best regards,
>
> Mark
> zeman at eset.sk
>
> ESET Software Technical Support
> www.nod32.com
>
> =========================================
> NOD32 ... protecting your digital worlds!
> =========================================
>
>
>
> -----Original Message-----
> From: Micheal Patterson [mailto:micheal at tsgincorporated.com]
> Sent: Tuesday, September 30, 2003 3:59 AM
> To: zeman at eset.sk
> Subject: [Dshield] Odd things occuring on TCP 135.
> Importance: High
>
>
> This morning, I got a call from one of our laptop users complaining that
> when she tries to send mail, the system reports that it's out of memory.
> Since this laptop hasn't been used in some time, I went over and took the
> station off line. Too many things have come down the pipe for me to want
to
> leave this thing on the network. I immediately suspected that it hadn't
been
> patched, and was correct. I hooked it up on a local test lan and started
> monitoring it's traffic to see if it was attempting to propagate anything.
> Sure enough, it was hammering tcp port 135 on our neighboring class c's.
We
> filter traffic both inbound and outbound at our border so it didn't pass
> outside of our network and all other hosts have been verified as being at
> current patch levels so this is an isolated incident. I checked add/remote
> programs and found that it wasn't viewable, similar to the Blaster /
Welchia
> issue corrupting DCOM.
>
> I at first suspected blaster or one of it's variants, no luck. Then I
> checked for Welchia, again, nothing. I scanned it from local clean CD
copies
> of Norton and McAfee with current defs as well as ran the currently
> available version of stinger against it. Still nothing turned up. When we
> checked the process list, we found one called regloadr.exe and killed that
> process. Once dead, the system returned to normal operation with no
further
> attempts to scan tcp 135. Add / Remove programs was again available and
the
> system appeared to be running normally after that. When the registry was
> scanned, there were 2 entries pertaining to regloadr.exe, both were
removed,
> and the regloadr.exe file deleted. The system is still running on the test
> lan with it's traffic being monitored for further testing. We would
normally
> blow this system away and reinstall from media, but we want to know just
> what is going on with it.
>
> I placed a copy of the exe on one of our *nix boxes and ran current
versions
> of f-prot, sweep and clamav against it and still turned up nothing. A
> hexdump turns up very little. It appears to be checking for tftpd, So, at
> this point, we're not sure if this is a completely unknown virus or if it
is
> a small portion of a larger issue. Either way, we would like to know just
> what this thing is. I've done a google search for regloadr.exe and turned
up
> nothing. MS has nothing about this filename in their knowledge base. We
then
> attempted to check for it's MD5 against various search engines, but
again,we
> turned up nothing. It's MD5 checksum (regloadr.exe) is
> 1b96e6ab6c25417bedb3dcb4d3167935 if anyone is interested.
>
> We can't identify just what this thing is. Has anyone seen this file
before?
>
> Thanks.
>
> --
>
> Micheal Patterson
> Network Administration
> Cancer Care Network
> 405-917-0600
>
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
>
> __________ NOD32 1.521 (20030928) Information __________
>
> This message was checked by NOD32 Antivirus System.
>   part000.txt - is OK
>
> http://www.nod32.com
>
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>
>




More information about the list mailing list