Educause Security Discussion mailing list archives
Re: Ph0t0Sh0p.exe
From: Andrew Watson <Andrew.Watson () COLORADOCOLLEGE EDU>
Date: Wed, 15 Sep 2004 12:18:29 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks to everyone for your help on this. We submitted the file to Symantec, and they determined that it was a new variant of the gaobot: W32.HLLW.Gaobot The latest def's should cover this one. Sincerely, Andrew Andrew Watson Sr. Systems Administrator The Colorado College 14 E. Cache La Poudre St. Armstrong Hall, 1A Colorado Springs, CO 80903 Phone: 719-389-6733 Fax: 719-389-6733 ________________________________ From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andrew Watson Sent: Monday, September 13, 2004 5:08 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Ph0t0Sh0p.exe We have had two student systems show up on campus displaying Nachi/Welchia activity (caught by our MS-RPCDCOM filter 2289 on tipping point). After we got our hands on the systems, none of our standard cleaning tools or AV software were successful at finding any problems. The only thing that we could find out of the ordinary was a single program, Ph0t0Sh0p.exe, that looked suspicious. It constantly takes about 70% CPU on both systems, and will trigger over 3000 alerts per hour on tipping point if connected to the network. I am going to have the students wipe the machines and re-install, I was curious to find out if anyone on this list had seen this type of activity? We have tried Symantec AV, Blaster/Nachi/Welchia cleaning utilities, spybot, and adaware with no success. Any advice would be greatly appreciated. Sincerely, Andrew Watson Sr. Systems Administrator The Colorado College 14 E. Cache La Poudre St. Armstrong Hall, 1A Colorado Springs, CO 80903 Phone: 719-389-6733 Fax: 719-389-6733 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQUiHdvlptU1jjdv5EQJxsgCggjIIn0eFPRUNTZs401VAMZE7s9EAoIEu S6bJfR6nqFIpSKm7Ga8IBOeD =RPix -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Ph0t0Sh0p.exe Andrew Watson (Sep 13)
- <Possible follow-ups>
- Re: Ph0t0Sh0p.exe Gaby (Sep 14)
- Re: Ph0t0Sh0p.exe Lucas, Bryan (Sep 14)
- Re: Ph0t0Sh0p.exe Andrew Watson (Sep 15)