[Dshield] Odd things occuring on TCP 135.

Porter, Richard USA rwporter at nps.navy.mil
Tue Sep 30 14:49:40 GMT 2003

Could you send me a copy in ZIP directly please? I would like to tear it apart. Thanks in advanced.


--- This email should be in plain text ---
"If it is not please flame me directly"

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf Of Micheal Patterson
Sent: Monday, September 29, 2003 4:29 PM
To: dshield
Subject: [Dshield] Odd things occuring on TCP 135.

This morning, I got a call from one of our laptop users complaining that when she tries to send mail, the system reports that it's out of memory. Since this laptop hasn't been used in some time, I went over and took the station off line. Too many things have come down the pipe for me to want to leave this thing on the network. I immediately suspected that it hadn't been patched, and was correct. I hooked it up on a local test lan and started monitoring it's traffic to see if it was attempting to propagate anything. Sure enough, it was hammering tcp port 135 on our neighboring class c's. We filter traffic both inbound and outbound at our border so it didn't pass outside of our network and all other hosts have been verified as being at current patch levels so this is an isolated incident. I checked add/remote programs and found that it wasn't viewable, similar to the Blaster / Welchia issue corrupting DCOM.

I at first suspected blaster or one of it's variants, no luck. Then I checked for Welchia, again, nothing. I scanned it from local clean CD copies of Norton and McAfee with current defs as well as ran the currently available version of stinger against it. Still nothing turned up. When we checked the process list, we found one called regloadr.exe and killed that process. Once dead, the system returned to normal operation with no further attempts to scan tcp 135. Add / Remove programs was again available and the system appeared to be running normally after that. When the registry was scanned, there were 2 entries pertaining to regloadr.exe, both were removed, and the regloadr.exe file deleted. The system is still running on the test lan with it's traffic being monitored for further testing. We would normally blow this system away and reinstall from media, but we want to know just what is going on with it.

I placed a copy of the exe on one of our *nix boxes and ran current versions of f-prot, sweep and clamav against it and still turned up nothing. A hexdump turns up very little. It appears to be checking for tftpd, So, at this point, we're not sure if this is a completely unknown virus or if it is a small portion of a larger issue. Either way, we would like to know just what this thing is. I've done a google search for regloadr.exe and turned up nothing. MS has nothing about this filename in their knowledge base. We then attempted to check for it's MD5 against various search engines, but again,we turned up nothing. It's MD5 checksum (regloadr.exe) is 1b96e6ab6c25417bedb3dcb4d3167935 if anyone is interested.

We can't identify just what this thing is. Has anyone seen this file before?



Micheal Patterson
Network Administration
Cancer Care Network

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list