Security Incidents mailing list archives

RE: wmon16.exe

From: "Ken Dunham" <dunhamk () rmci net>
Date: Mon, 10 May 2004 16:44:57 -0600

Greetings,
iDEFENSE will do an analysis of code as well.  Send it to:

  malcode () idefense com

Ken

-----Original Message-----
From: Nick FitzGerald [mailto:nick () virus-l demon co uk] 
Sent: Monday, May 10, 2004 1:31 PM
To: incidents () securityfocus com
Subject: Re: wmon16.exe

"Jason High" <strongcypher () hotmail com> wrote:

I believe that I have a HUGE problem, and I can't find anything anywhere.

Here are our symptoms:

<<snip>>

I am completely lost.  No removal tools have worked, no A/V is picking 
it up.  I've got about four hosts with these symptoms (so far) and I'm 
just unplugging network cables at this point.  Anyone with any pointers?


Further to Harlan's excellent advice, you would do well to forward such
suspect files to your preferred AV developers' sample submission addresses.
To save you having to look them up, here is a list of such addresses for the
better-known developers:

   Authentium (Command Antivirus)  <virus () authentium com>
   Computer Associates (US)        <virus () ca com>
   Computer Associates (Vet/EZ)    <ipevirus () vet com au>
   DialogueScience (Dr. Web)       <Antivir () dials ru>
   Eset (NOD32)                    <sample () nod32 com>
   F-Secure Corp.                  <samples () f-secure com>
   Frisk Software (F-PROT)         <viruslab () f-prot com>
   Grisoft (AVG)                   <virus () grisoft cz>
   H+BEDV (AntiVir, Vexira engine) <virus () antivir de>
   Kaspersky Labs                  <newvirus () kaspersky com>
   Network Associates (McAfee)     <virus_research () nai com>
     (use a ZIP file with the password 'infected' without the quotes)
   Norman (NVC)                    <analysis () norman no>
   Panda Software                  <labs () pandasoftware com>
   Sophos Plc.                     <support () sophos com>
   Symantec (Norton)               <avsubmit () symantec com>
   Trend Micro (PC-cillin)         <virus_doctor () trendmicro com>
     (Trend may only accept files from users of its products)


--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

wmon16.exe Jason High (May 10)
- Re: wmon16.exe Peter Kosinar (May 10)
- Re: wmon16.exe Harlan Carvey (May 10)
- Re: wmon16.exe KUIJPERS Jimmy (May 10)
- Re: wmon16.exe Nick FitzGerald (May 10)
  - RE: wmon16.exe Ken Dunham (May 11)
- <Possible follow-ups>
- RE: wmon16.exe Meidinger Chris (May 10)
- RE: wmon16.exe Levinson, Karl (May 10)
  - RE: wmon16.exe lsi (May 11)
- Re: wmon16.exe Willem Tahon (May 11)
  - Re: wmon16.exe Nick FitzGerald (May 11)
- RE: wmon16.exe lsi (May 11)
- Re: wmon16.exe Willem Tahon (May 11)