[Dshield] Odd things occuring on TCP 135.

Micheal Patterson micheal at tsgincorporated.com
Mon Sep 29 23:28:59 GMT 2003

This morning, I got a call from one of our laptop users complaining that
when she tries to send mail, the system reports that it's out of memory.
Since this laptop hasn't been used in some time, I went over and took the
station off line. Too many things have come down the pipe for me to want to
leave this thing on the network. I immediately suspected that it hadn't been
patched, and was correct. I hooked it up on a local test lan and started
monitoring it's traffic to see if it was attempting to propagate anything.
Sure enough, it was hammering tcp port 135 on our neighboring class c's. We
filter traffic both inbound and outbound at our border so it didn't pass
outside of our network and all other hosts have been verified as being at
current patch levels so this is an isolated incident. I checked add/remote
programs and found that it wasn't viewable, similar to the Blaster / Welchia
issue corrupting DCOM.

I at first suspected blaster or one of it's variants, no luck. Then I
checked for Welchia, again, nothing. I scanned it from local clean CD copies
of Norton and McAfee with current defs as well as ran the currently
available version of stinger against it. Still nothing turned up. When we
checked the process list, we found one called regloadr.exe and killed that
process. Once dead, the system returned to normal operation with no further
attempts to scan tcp 135. Add / Remove programs was again available and the
system appeared to be running normally after that. When the registry was
scanned, there were 2 entries pertaining to regloadr.exe, both were removed,
and the regloadr.exe file deleted. The system is still running on the test
lan with it's traffic being monitored for further testing. We would normally
blow this system away and reinstall from media, but we want to know just
what is going on with it.

I placed a copy of the exe on one of our *nix boxes and ran current versions
of f-prot, sweep and clamav against it and still turned up nothing. A
hexdump turns up very little. It appears to be checking for tftpd, So, at
this point, we're not sure if this is a completely unknown virus or if it is
a small portion of a larger issue. Either way, we would like to know just
what this thing is. I've done a google search for regloadr.exe and turned up
nothing. MS has nothing about this filename in their knowledge base. We then
attempted to check for it's MD5 against various search engines, but again,we
turned up nothing. It's MD5 checksum (regloadr.exe) is
1b96e6ab6c25417bedb3dcb4d3167935 if anyone is interested.

We can't identify just what this thing is. Has anyone seen this file before?



Micheal Patterson
Network Administration
Cancer Care Network

More information about the list mailing list