[Dshield] Odd things occuring on TCP 135.

Linux linux at madjackal.org
Tue Sep 30 13:24:56 GMT 2003


hello there..im interested in knowing what this thing is..can Sir send
me a copy of it?Just asking..thanks anyway.cheers


On Tue, 2003-09-30 at 07:28, Micheal Patterson wrote:
> This morning, I got a call from one of our laptop users complaining that
> when she tries to send mail, the system reports that it's out of memory.
> Since this laptop hasn't been used in some time, I went over and took the
> station off line. Too many things have come down the pipe for me to want to
> leave this thing on the network. I immediately suspected that it hadn't been
> patched, and was correct. I hooked it up on a local test lan and started
> monitoring it's traffic to see if it was attempting to propagate anything.
> Sure enough, it was hammering tcp port 135 on our neighboring class c's. We
> filter traffic both inbound and outbound at our border so it didn't pass
> outside of our network and all other hosts have been verified as being at
> current patch levels so this is an isolated incident. I checked add/remote
> programs and found that it wasn't viewable, similar to the Blaster / Welchia
> issue corrupting DCOM.
> 
> I at first suspected blaster or one of it's variants, no luck. Then I
> checked for Welchia, again, nothing. I scanned it from local clean CD copies
> of Norton and McAfee with current defs as well as ran the currently
> available version of stinger against it. Still nothing turned up. When we
> checked the process list, we found one called regloadr.exe and killed that
> process. Once dead, the system returned to normal operation with no further
> attempts to scan tcp 135. Add / Remove programs was again available and the
> system appeared to be running normally after that. When the registry was
> scanned, there were 2 entries pertaining to regloadr.exe, both were removed,
> and the regloadr.exe file deleted. The system is still running on the test
> lan with it's traffic being monitored for further testing. We would normally
> blow this system away and reinstall from media, but we want to know just
> what is going on with it.
> 
> I placed a copy of the exe on one of our *nix boxes and ran current versions
> of f-prot, sweep and clamav against it and still turned up nothing. A
> hexdump turns up very little. It appears to be checking for tftpd, So, at
> this point, we're not sure if this is a completely unknown virus or if it is
> a small portion of a larger issue. Either way, we would like to know just
> what this thing is. I've done a google search for regloadr.exe and turned up
> nothing. MS has nothing about this filename in their knowledge base. We then
> attempted to check for it's MD5 against various search engines, but again,we
> turned up nothing. It's MD5 checksum (regloadr.exe) is
> 1b96e6ab6c25417bedb3dcb4d3167935 if anyone is interested.
> 
> We can't identify just what this thing is. Has anyone seen this file before?
> 
> Thanks.
> 
> --
> 
> Micheal Patterson
> Network Administration
> Cancer Care Network
> 405-917-0600
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 
-- 
Linux <linux at madjackal.org>
MadJackal.org




More information about the list mailing list