Security Incidents mailing list archives
Re: wmon16 follow-up
From: Harlan Carvey <keydet89 () yahoo com>
Date: Mon, 10 May 2004 18:02:18 -0700 (PDT)
Jason, One last question...how do you know that it's a virus, and not a worm or Trojan? --- Jason High <strongcypher () hotmail com> wrote:
Thanks to everyone for their advice and help. The virus was pretty un-sophisticated as far as I can tell. It created C:\winnt\system32\wmon16.exe and added registry entries in Run and Run > OptionalComponents to start itself when the computer starts. I simply killed it with Sysinternal's pskill, deleted the registry entries, patched the computers and updated the A/V. It seems to be gone now, but I'll watching closely. I submitted copies of the executable to various A/V vendors and many requestors on this list. If you asked for a copy and didn't get one, or would like to look at, please let me know. I had a lot going on and may have missed some people. Thanks again. Jason E. High,RHCT,GSEC,MCP http://www.alwaysright.org
_________________________________________________________________
Getting married? Find tips, tools and the latest trends at MSN Life Events. http://lifeevents.msn.com/category.aspx?cid=married
---------------------------------------------------------------------------
----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- wmon16 follow-up Jason High (May 10)
- Re: wmon16 follow-up Harlan Carvey (May 11)