Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe

(Un)Fortunately, I am not allowed to distribue the exe.

Does anyone know how it infects?

On Sep 1, Harlan Carvey (nospam-keydet89@yahoo.com.ns) typed:

FD: Where in the Registry did you find it? Which key(s)?
FD: What about this makes you think it's a Trojan? Did
FD: you run fport/openports and find it listening on a
FD: port? Where does the Registry entry point to within
FD: the file system? Since the file is an .exe file, did
FD: you check it for version information?
FD:
FD: Since filenames are the easiest thing about a file to
FD: change, is there any information other than simply the
FD: name that you can provide?

There were about 6 Registry enties in the HKLM section. I dont have the
compromised machine, so I cannot tell you the exact locations.

We ran TCPview on the compromised machine and watched it connect to an IRC
server.

On Sep 1, Todd Towles (nospam-toddtowles@brookshires.com.ns) typed:

FD: I see one other post about it here..
FD:
FD: http://www.dslreports.com/forum/remark,10987569~mode=flat
FD:
FD: Sounds like malware to me. Did you send copies to any AV compines?

That URL is the same one I came across yesterday via Google.

A copy of it has been sent to Symantec.

On Sep 1, Joe Stewart <nospam-jstewart@lurhq.com.ns> typed:

FD: We saw an Rbot variant spreading on August 23 with the same exe
FD: name. I've also seen other Rbot variants using a similar registry
FD: key name. Kaspersky does a pretty good job of spotting unknown Rbot
FD: variants with a generic signature "Backdoor.Rbot.gen".
FD:
FD: -Joe

http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Thu Sep 02 10:24:03 2004