|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: wmon16.exe
From: lsi (stuart
cyberdelix.net)
Date: Tue May 11 2004 - 02:41:40 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sorry,
I forgot to mention - if you disinfect manually (kill the process,
remove the startup key), there's one more step - delete the EXE
You need to repeat for each dodgy EXE on the system.
I use TaskInfo to see a process list (it's much better than the
inbuilt process lister). And I use SmartStart to show me startup
keys in the registry (not Regedit). And, I use Total Commander for
file management (it runs rings around Windows Explorer).
And finally - I happened to notice that whatever had infected my
user's system appeared to have made a copy of his profile directory
(from c:\documents and settings) and placed it in
c:\windows\system32\local settings (or something). It could have
been the user who did this, so I wasn't sure - but the IE cache
directories in that copy of his profile contained additional,
inactive copies of AVSERVE.EXE and AVSERVE2.EXE, which were detected
by the full system scan with the AV tool (after I had repaired it).
Stu
On 11 May 2004 at 8:26, incidentssecurityfocus.com wrote:
From: lsi <stuartcyberdelix.net>
To: incidentssecurityfocus.com
Subject: RE: wmon16.exe
Copies to: strongcypherhotmail.com
Send reply to: stuartcyberdelix.net
Date sent: Tue, 11 May 2004 08:26:31 +0100
> Hey, I saw this too
>
> HOSTS file had a bunch of AV sites pointing to 127.0.0.1
>
> The name of my mystery file was WINDRV32.EXE I think - 3k
>
> Once I got the AV working and updated, it detected GAObot and Sasser
> on the machine - the HOSTS file itself then caused an alert from
> Norton - not sure whether it called it GAOBot or Sasser.
>
> The machine was infected with AVSERVE.EXE *and* AVSERVE2.EXE - both
> were running full tilt when I arrived.
>
> The machine was on a broadband connection and had no firewall
> enabled. So I concluded it was a 'spyware hotel' ... and attacked it
> in Safe Mode with System Restore turned off. At this point I wasn't
> too methodical and trashed anything that looked out of the ordinary.
> I also run Ad-Aware and had that trash it some more. Then I rebooted,
> updated AV and had it scan the whole system, find Sasser and GAObot
> on the system, and trash them.
>
> Norton did NOT alert on the 3k WINDRV32.EXE file, though. I
> concluded it was a dropper of some description. I wanted to keep it,
> but - well actually I have seen a bunch of weird EXEs "in my time",
> and one more is not such a big deal.
>
> Note: you sound like you're depending on an AV tool. Just look at
> the process list manually. Have a known-clean machine next to you so
> you can compare the process lists if you need to. Then you can see
> the malware right there. Kill the process. Remove the startup
> registry key. AV tool not necessary.
>
> Stu
>
> On 10 May 2004 at 11:28, Levinson, Karl wrote:
>
> From: "Levinson, Karl" <Karl.Levinsondhs.gov>
> To: "'Jason High'" <strongcypherhotmail.com>, incidentssecurityfocus.com
> Subject: RE: wmon16.exe
> Date sent: Mon, 10 May 2004 11:28:53 -0400
>
> > First, you want to immediately submit that file to your anti-virus vendor,
> > using the virus sample submission instructions on their web site. I think
> > this is wise even if this file is unrelated to your hosts file being edited.
> >
> >
> > Google gives zero hits on the file name wmon16.exe, which unscientifically
> > suggests this is probably not a normal file.
> >
> > If you wanted to know immediately what that file does, you could try running
> > it on an isolated test machine with Filemon, Regmon, and/or Process Explorer
> > free from www.sysinternals.com, Ethereal sniffer, etc. Other good
> > suggestions as to what you might optionally consider doing can be found by
> > searching previous posts to this question on this list. None of this is a
> > good replacement for also getting your anti-virus vendor to detect, name and
> > remove it, however.
> >
> >
> >
> > > -----Original Message-----
> > > From: Jason High [mailto:strongcypherhotmail.com]
> > > Sent: Monday, May 10, 2004 9:03 AM
> > > To: incidentssecurityfocus.com
> > > Subject: wmon16.exe
> > >
> > >
> > > I believe that I have a HUGE problem, and I can't find
> > > anything anywhere.
> > > Here are our symptoms:
> > >
> > > - C:\winnt\system32\wmon16.exe appeared and began running (no
> > > idea what it
> > > is or does)
> > > - hosts file was altered to redirect antivirus sites to
> > > 127.0.0.1 (similar
> > > to Trojan.QHOST but nothing else matches
> > > - disables antivirus
> > > - creates lots of connections to network computers using
> > > microsoft-ds and
> > > netbios ports
> > >
> > > I am completely lost. No removal tools have worked, no A/V
> > > is picking it
> > > up. I've got about four hosts with these symptoms (so far)
> > > and I'm just
> > > unplugging network cables at this point. Anyone with any pointers?
> >
> > ---------------------------------------------------------------------------
> > ----------------------------------------------------------------------------
>
>
---
Stuart Udall
stuart atcyberdelix.dot net - http://www.cyberdelix.net/
---
* Origin: lsi: revolution through evolution (192.168.0.2)
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]