|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: wmon16.exe
From: Meidinger Chris (chris.meidinger
badenit.de)
Date: Mon May 10 2004 - 10:41:53 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Those symptoms sound exactly like some variant of agobot/phatbot.
info: http://www.sophos.com/virusinfo/analyses/w32agobotlb.html
http://www.sophos.com/virusinfo/analyses/w32agobotrg.html
there are lots of variants, and it will probably not be fun to clean. If you
are not patched, I would probably turn off your switches at this point.
As far as the name, the best I can find is this, nothing concrete:
http://anticode.antionline.com/download.php?op=geninfo&did=35122
Good lunk, feel free to mail if you want to talk,
Chris
> -----Original Message-----
> From: Jason High [mailto:strongcypherhotmail.com]
> Sent: Monday, May 10, 2004 3:03 PM
> To: incidentssecurityfocus.com
> Subject: wmon16.exe
>
> I believe that I have a HUGE problem, and I can't find
> anything anywhere.
> Here are our symptoms:
>
> - C:\winnt\system32\wmon16.exe appeared and began running (no
> idea what it is or does)
> - hosts file was altered to redirect antivirus sites to
> 127.0.0.1 (similar to Trojan.QHOST but nothing else matches
> - disables antivirus
> - creates lots of connections to network computers using
> microsoft-ds and netbios ports
>
> I am completely lost. No removal tools have worked, no A/V
> is picking it up. I've got about four hosts with these
> symptoms (so far) and I'm just unplugging network cables at
> this point. Anyone with any pointers?
>
>
> Jason E. High,RHCT,GSEC,MCP
> http://www.alwaysright.org
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar - get it now!
> http://toolbar.msn.com/go/onm00200415ave/direct/01/
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]