Re: [Full-Disclosure] Microsoft Update Loader msrtwd.exe

["S.A. Birl" <sbirl@xxxxxxxxxx>]

(Un)Fortunately, I am not allowed to distribue the exe.

Does anyone know how it infects?


On Sep 1, Harlan Carvey (nospam-keydet89@xxxxxxxxxxxx) typed:

FD:   Where in the Registry did you find it?  Which key(s)?
FD:   What about this makes you think it's a Trojan?  Did
FD:   you run fport/openports and find it listening on a
FD:   port?  Where does the Registry entry point to within
FD:   the file system?  Since the file is an .exe file, did
FD:   you check it for version information?
FD:
FD:   Since filenames are the easiest thing about a file to
FD:   change, is there any information other than simply the
FD:   name that you can provide?


There were about 6 Registry enties in the HKLM section.  I dont have the
compromised machine, so I cannot tell you the exact locations.

We ran TCPview on the compromised machine and watched it connect to an IRC
server.




On Sep 1, Todd Towles (nospam-toddtowles@xxxxxxxxxxxxxxxxxx) typed:

FD:   I see one other post about it here..
FD:
FD:    http://www.dslreports.com/forum/remark,10987569~mode=flat
FD:
FD:   Sounds like malware to me. Did you send copies to any AV compines?



That URL is the same one I came across yesterday via Google.

A copy of it has been sent to Symantec.



On Sep 1, Joe Stewart <nospam-jstewart@xxxxxxxxxxxx> typed:

FD:   We saw an Rbot variant spreading on August 23 with the same exe
FD:   name. I've also seen other Rbot variants using a similar registry
FD:   key name. Kaspersky does a pretty good job of spotting unknown Rbot
FD:   variants with a generic signature "Backdoor.Rbot.gen".
FD:
FD:   -Joe


http://virusscan.jotti.dhs.org/ lists msrtwd.exe as backdoor.sdbot.gen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html