Security Incidents mailing list archives
Re: maoqmwgn.exe
From: Mike <secfocus () mikesbytes com>
Date: Thu, 15 Apr 2004 08:50:35 -0700
At 4/14/2004 06:09 PM, George M. Garner Jr. wrote:
I am looking for information on a small program entitled maoqmwgn.exe (http://users.erols.com/gmgarner/malware/maoqmwgn.zip). The program, which opens UDP 1030, was found on a computer that was infected with certain spyware. The creation time also correlates with the spyware. I don't see it referenced anywhere.
Looks like spyware from Golden Palace Casino based on strings in the file.Based on various postings, it appears to be difficult to remove, but I bet it has a bunch of registry keys including, of course, at the following locations:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsHow did you detect that the machine was infected with spyware? If you used something like Adaware or Spypot, both should be able to tell you more about the spyware.
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- maoqmwgn.exe George M. Garner Jr. (Apr 15)
- Re: maoqmwgn.exe Mike (Apr 15)
- Re: maoqmwgn.exe Nick FitzGerald (Apr 16)
- <Possible follow-ups>
- Fw: maoqmwgn.exe Bob (Apr 15)
- Re: maoqmwgn.exe Matthew Closson (Apr 16)