Re: Unusual registry entries

From: Brad (gryphonnat_private)
Date: Thu Jun 19 2003 - 20:25:12 PDT

Next message: Anders Reed Mohn: "Re: sdbot variant and WS 55808 activity"

Previous message: Andrew Ruef: "RE: chkrootkit and LKM?"
In reply to: btraquerat_private: "Unusual registry entries"
Next in thread: Jasmine: "Re: Unusual registry entries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 19 Jun 2003 at 20:14, btraquerat_private wrote:

From:           	btraquerat_private
To:             	incidentsat_private
Subject:        	Unusual registry entries
Date sent:      	Thu, 19 Jun 2003 20:14:35 +0000

> Today, while installing an app on a 98 box, we noticed that the user name and
> organization that Windows was registered to was quite unusual.  The registry
> key, HKLM-->Software-->Microsoft-->Windows-->CurrentVersion showed the following:
> 
> RegisteredOwner:  Forger
> RegisteredOrganization:  RedTeam Art & Dev Lab
> 
> 
> Have any of you ever seen or heard of anything like this before?
> 
> A search on Google only brought up four hits when I searched for redteam
> +forger.    Had no luck using any other search.  Found some light info about 2
> viruses that had one or the other in the name, but couldn't any definitive info
> about either.

Virus search results (minimal search):

http://www.f-secure.com/v-descs/vcl.shtml
http://www.avp.ch/avpve/newexe/windows/redteam.stm

Note that besides the Redteam kit, the worm itself is rather old.

How much do you know of the history of the box, because the entries 
may have been there for a while.

Cheers,
Brad





> 
> No unusual apps/processess "appear" to be installed/running and nothing unusual
> appeared during a review of the system, but this is still very interesting...
> 
> If you have any info about this it would be greatly appreciated!!
> 
> Thanks!
> Gene
> 
> ----------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
> world's premier technical IT security event! 10 tracks, 15 training sessions, 
> 1,800 delegates from 30 nations including all of the top experts, from CSO's to 
> "underground" security specialists.  See for yourself what the buzz is about!  
> Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
> ----------------------------------------------------------------------------
> 

Gryphonn Design
Custom Computers
Anti-virus and Security services 
E: gryphonnat_private

This message has a short disclaimer.
It is designed to piss off those people
who think 134 bytes of ASCII 
is a waste of bandwidth.


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Anders Reed Mohn: "Re: sdbot variant and WS 55808 activity"
Previous message: Andrew Ruef: "RE: chkrootkit and LKM?"
In reply to: btraquerat_private: "Unusual registry entries"
Next in thread: Jasmine: "Re: Unusual registry entries"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 21 2003 - 11:44:36 PDT