[Dshield] Odd things occuring on TCP 135.

Doug White doug at clickdoug.com
Tue Sep 30 15:16:16 GMT 2003

Have you tried submitting the program to one of the anti-virus vendors?

Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
Featuring Win2003 Enterprise, RedHat Linux, CFMX 6.1 and all databases.
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "Linux" <linux at madjackal.org>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Tuesday, September 30, 2003 8:24 AM
Subject: Re: [Dshield] Odd things occuring on TCP 135.

| hello there..im interested in knowing what this thing is..can Sir send
| me a copy of it?Just asking..thanks anyway.cheers
| On Tue, 2003-09-30 at 07:28, Micheal Patterson wrote:
| > This morning, I got a call from one of our laptop users complaining that
| > when she tries to send mail, the system reports that it's out of memory.
| > Since this laptop hasn't been used in some time, I went over and took the
| > station off line. Too many things have come down the pipe for me to want to
| > leave this thing on the network. I immediately suspected that it hadn't been
| > patched, and was correct. I hooked it up on a local test lan and started
| > monitoring it's traffic to see if it was attempting to propagate anything.
| > Sure enough, it was hammering tcp port 135 on our neighboring class c's. We
| > filter traffic both inbound and outbound at our border so it didn't pass
| > outside of our network and all other hosts have been verified as being at
| > current patch levels so this is an isolated incident. I checked add/remote
| > programs and found that it wasn't viewable, similar to the Blaster / Welchia
| > issue corrupting DCOM.
| >
| > I at first suspected blaster or one of it's variants, no luck. Then I
| > checked for Welchia, again, nothing. I scanned it from local clean CD copies
| > of Norton and McAfee with current defs as well as ran the currently
| > available version of stinger against it. Still nothing turned up. When we
| > checked the process list, we found one called regloadr.exe and killed that
| > process. Once dead, the system returned to normal operation with no further
| > attempts to scan tcp 135. Add / Remove programs was again available and the
| > system appeared to be running normally after that. When the registry was
| > scanned, there were 2 entries pertaining to regloadr.exe, both were removed,
| > and the regloadr.exe file deleted. The system is still running on the test
| > lan with it's traffic being monitored for further testing. We would normally
| > blow this system away and reinstall from media, but we want to know just
| > what is going on with it.
| >
| > I placed a copy of the exe on one of our *nix boxes and ran current versions
| > of f-prot, sweep and clamav against it and still turned up nothing. A
| > hexdump turns up very little. It appears to be checking for tftpd, So, at
| > this point, we're not sure if this is a completely unknown virus or if it is
| > a small portion of a larger issue. Either way, we would like to know just
| > what this thing is. I've done a google search for regloadr.exe and turned up
| > nothing. MS has nothing about this filename in their knowledge base. We then
| > attempted to check for it's MD5 against various search engines, but again,we
| > turned up nothing. It's MD5 checksum (regloadr.exe) is
| > 1b96e6ab6c25417bedb3dcb4d3167935 if anyone is interested.
| >
| > We can't identify just what this thing is. Has anyone seen this file before?
| >
| > Thanks.
| >
| > --
| >
| > Micheal Patterson
| > Network Administration
| > Cancer Care Network
| > 405-917-0600
| >
| >
| > _______________________________________________
| > list mailing list
| > list at dshield.org
| > To change your subscription options (or unsubscribe), see:
| >
| -- 
| Linux <linux at madjackal.org>
| MadJackal.org
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:

More information about the list mailing list