Security Incidents mailing list archives

Re: maoqmwgn.exe

From: Mike <secfocus () mikesbytes com>
Date: Thu, 15 Apr 2004 08:50:35 -0700

At 4/14/2004 06:09 PM, George M. Garner Jr. wrote:

I am looking for information on a small program entitled maoqmwgn.exe
(http://users.erols.com/gmgarner/malware/maoqmwgn.zip).  The program, which
opens UDP 1030, was found on a computer that was infected with certain
spyware.  The creation time also correlates with the spyware.  I don't see
it referenced anywhere.


Looks like spyware from Golden Palace Casino based on strings in the file.

Based on various postings, it appears to be difficult to remove, but I betit has a bunch of registry keys including, of course, at the followinglocations:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

How did you detect that the machine was infected with spyware? If you usedsomething like Adaware or Spypot, both should be able to tell you moreabout the spyware.




---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

maoqmwgn.exe George M. Garner Jr. (Apr 15)
- Re: maoqmwgn.exe Mike (Apr 15)
- Re: maoqmwgn.exe Nick FitzGerald (Apr 16)
- <Possible follow-ups>
- Fw: maoqmwgn.exe Bob (Apr 15)
  - Re: maoqmwgn.exe Matthew Closson (Apr 16)