[Dshield] Odd things occuring on TCP 135.

Matney mail at greatviz.com
Tue Sep 30 18:45:24 GMT 2003


Could it be a variation of regload.exe?  It is a keylogger, you can find 
it at:

http://gd.tuwien.ac.at/pc/bazar/sf-exe/r/regload-keylog/

Micheal Patterson wrote:

>This morning, I got a call from one of our laptop users complaining that
>when she tries to send mail, the system reports that it's out of memory.
>Since this laptop hasn't been used in some time, I went over and took the
>station off line. Too many things have come down the pipe for me to want to
>leave this thing on the network. I immediately suspected that it hadn't been
>patched, and was correct. I hooked it up on a local test lan and started
>monitoring it's traffic to see if it was attempting to propagate anything.
>Sure enough, it was hammering tcp port 135 on our neighboring class c's. We
>filter traffic both inbound and outbound at our border so it didn't pass
>outside of our network and all other hosts have been verified as being at
>current patch levels so this is an isolated incident. I checked add/remote
>programs and found that it wasn't viewable, similar to the Blaster / Welchia
>issue corrupting DCOM.
>
>I at first suspected blaster or one of it's variants, no luck. Then I
>checked for Welchia, again, nothing. I scanned it from local clean CD copies
>of Norton and McAfee with current defs as well as ran the currently
>available version of stinger against it. Still nothing turned up. When we
>checked the process list, we found one called regloadr.exe and killed that
>process. Once dead, the system returned to normal operation with no further
>attempts to scan tcp 135. Add / Remove programs was again available and the
>system appeared to be running normally after that. When the registry was
>scanned, there were 2 entries pertaining to regloadr.exe, both were removed,
>and the regloadr.exe file deleted. The system is still running on the test
>lan with it's traffic being monitored for further testing. We would normally
>blow this system away and reinstall from media, but we want to know just
>what is going on with it.
>
>I placed a copy of the exe on one of our *nix boxes and ran current versions
>of f-prot, sweep and clamav against it and still turned up nothing. A
>hexdump turns up very little. It appears to be checking for tftpd, So, at
>this point, we're not sure if this is a completely unknown virus or if it is
>a small portion of a larger issue. Either way, we would like to know just
>what this thing is. I've done a google search for regloadr.exe and turned up
>nothing. MS has nothing about this filename in their knowledge base. We then
>attempted to check for it's MD5 against various search engines, but again,we
>turned up nothing. It's MD5 checksum (regloadr.exe) is
>1b96e6ab6c25417bedb3dcb4d3167935 if anyone is interested.
>
>We can't identify just what this thing is. Has anyone seen this file before?
>
>Thanks.
>
>--
>
>Micheal Patterson
>Network Administration
>Cancer Care Network
>405-917-0600
>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>
>
>  
>




More information about the list mailing list