Educause Security Discussion mailing list archives

Re: Ph0t0Sh0p.exe

From: Andrew Watson <Andrew.Watson () COLORADOCOLLEGE EDU>
Date: Wed, 15 Sep 2004 12:18:29 -0600

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks to everyone for your help on this.  We submitted the file to
Symantec, and they determined that it was a new variant of the
gaobot: 

W32.HLLW.Gaobot

The latest def's should cover this one.  
 


Sincerely,
Andrew
 
 

Andrew Watson 

Sr. Systems Administrator

The  Colorado College

14 E. Cache La Poudre St.

Armstrong Hall, 1A

Colorado Springs, CO 80903

Phone: 719-389-6733

Fax: 719-389-6733

 

 

________________________________

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andrew Watson
Sent: Monday, September 13, 2004 5:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Ph0t0Sh0p.exe



We have had two student systems show up on campus displaying
Nachi/Welchia activity (caught by our MS-RPCDCOM filter 2289 on
tipping point).  After we got our hands on the systems, none of our
standard cleaning tools or AV software were successful at finding any
problems.  The only thing that we could find out of the ordinary was
a single program, Ph0t0Sh0p.exe, that looked suspicious.  It
constantly takes about 70% CPU on both systems, and will trigger over
3000 alerts per hour on tipping point if connected to the network.  I
am going to have the students wipe the machines and re-install, I was
curious to find out if anyone on this list had seen this type of
activity?  We have tried Symantec AV, Blaster/Nachi/Welchia cleaning
utilities, spybot, and adaware with no success. 

 

Any advice would be greatly appreciated.

 

Sincerely,

 

 

Andrew Watson

Sr. Systems Administrator

The Colorado College

14 E. Cache La Poudre St.

Armstrong Hall, 1A

Colorado Springs, CO 80903

Phone: 719-389-6733

Fax: 719-389-6733

 

********** Participation and subscription information for this
EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/. 

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQUiHdvlptU1jjdv5EQJxsgCggjIIn0eFPRUNTZs401VAMZE7s9EAoIEu
S6bJfR6nqFIpSKm7Ga8IBOeD
=RPix
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Ph0t0Sh0p.exe Andrew Watson (Sep 13)
- <Possible follow-ups>
- Re: Ph0t0Sh0p.exe Gaby (Sep 14)
- Re: Ph0t0Sh0p.exe Lucas, Bryan (Sep 14)
- Re: Ph0t0Sh0p.exe Andrew Watson (Sep 15)