regsvs.exe - Dangerous
regsvs.exe
Manual removal instructions:
Antivirus Report of regsvs.exe:
regsvs.exe
W32.Gaobot.YN is a variant of W32.HLLW.Gaobot.gen that attempts to spread to network shares and allows access to an infected computer through an IRC channel.
The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001), using TCP port 445
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007), using TCP port 80
Allows unauthorized remote access.
Steals CD keys of several popular computer games.
Ends processes belonging to antivirus and firewall software.
Accounts with weak passwords; systems not patched against the DCOM RPC vulnerability or the RPC locator vulnerability.
Copies itself as %System%\regsvs.exe.
Adds the value: "Compatibility Service Process" = "regsvs.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Opens a randomly selected TCP port to connect to an attacker.
Connects to a predefined IRC channel, using its own IRC client, and listens for the commands from an attacker.
Allows an attacker to remotely control a compromised computer, allowing him/her to perform any of the following actions:
- Manage the installation of the worm
- Dynamically update the installed worm
- Download and execute files
- Steal system information
- Send the worm to other IRC users
- Add new accounts
Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.
regsvs.exe | Malware |
regsvs.exe | Dangerous |
regsvs.exe | High Risk |
The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001), using TCP port 445
The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007), using TCP port 80
Allows unauthorized remote access.
Steals CD keys of several popular computer games.
Ends processes belonging to antivirus and firewall software.
Accounts with weak passwords; systems not patched against the DCOM RPC vulnerability or the RPC locator vulnerability.
Copies itself as %System%\regsvs.exe.
Adds the value: "Compatibility Service Process" = "regsvs.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Opens a randomly selected TCP port to connect to an attacker.
Connects to a predefined IRC channel, using its own IRC client, and listens for the commands from an attacker.
Allows an attacker to remotely control a compromised computer, allowing him/her to perform any of the following actions:
- Manage the installation of the worm
- Dynamically update the installed worm
- Download and execute files
- Steal system information
- Send the worm to other IRC users
- Add new accounts
Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.