Security Incidents mailing list archives
RE: wmon16.exe
From: "lsi" <stuart () cyberdelix net>
Date: Tue, 11 May 2004 08:26:34 +0100
Hey, I saw this too HOSTS file had a bunch of AV sites pointing to 127.0.0.1 The name of my mystery file was WINDRV32.EXE I think - 3k Once I got the AV working and updated, it detected GAObot and Sasser on the machine - the HOSTS file itself then caused an alert from Norton - not sure whether it called it GAOBot or Sasser. The machine was infected with AVSERVE.EXE *and* AVSERVE2.EXE - both were running full tilt when I arrived. The machine was on a broadband connection and had no firewall enabled. So I concluded it was a 'spyware hotel' ... and attacked it in Safe Mode with System Restore turned off. At this point I wasn't too methodical and trashed anything that looked out of the ordinary. I also run Ad-Aware and had that trash it some more. Then I rebooted, updated AV and had it scan the whole system, find Sasser and GAObot on the system, and trash them. Norton did NOT alert on the 3k WINDRV32.EXE file, though. I concluded it was a dropper of some description. I wanted to keep it, but - well actually I have seen a bunch of weird EXEs "in my time", and one more is not such a big deal. Note: you sound like you're depending on an AV tool. Just look at the process list manually. Have a known-clean machine next to you so you can compare the process lists if you need to. Then you can see the malware right there. Kill the process. Remove the startup registry key. AV tool not necessary. Stu On 10 May 2004 at 11:28, Levinson, Karl wrote: From: "Levinson, Karl" <Karl.Levinson () dhs gov> To: "'Jason High'" <strongcypher () hotmail com>, incidents () securityfocus com Subject: RE: wmon16.exe Date sent: Mon, 10 May 2004 11:28:53 -0400
First, you want to immediately submit that file to your anti-virus vendor, using the virus sample submission instructions on their web site. I think this is wise even if this file is unrelated to your hosts file being edited. Google gives zero hits on the file name wmon16.exe, which unscientifically suggests this is probably not a normal file. If you wanted to know immediately what that file does, you could try running it on an isolated test machine with Filemon, Regmon, and/or Process Explorer free from www.sysinternals.com, Ethereal sniffer, etc. Other good suggestions as to what you might optionally consider doing can be found by searching previous posts to this question on this list. None of this is a good replacement for also getting your anti-virus vendor to detect, name and remove it, however.-----Original Message----- From: Jason High [mailto:strongcypher () hotmail com] Sent: Monday, May 10, 2004 9:03 AM To: incidents () securityfocus com Subject: wmon16.exe I believe that I have a HUGE problem, and I can't find anything anywhere. Here are our symptoms: - C:\winnt\system32\wmon16.exe appeared and began running (no idea what it is or does) - hosts file was altered to redirect antivirus sites to 127.0.0.1 (similar to Trojan.QHOST but nothing else matches - disables antivirus - creates lots of connections to network computers using microsoft-ds and netbios ports I am completely lost. No removal tools have worked, no A/V is picking it up. I've got about four hosts with these symptoms (so far) and I'm just unplugging network cables at this point. Anyone with any pointers?--------------------------------------------------------------------------- ----------------------------------------------------------------------------
--- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192.168.0.2) --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- wmon16.exe Jason High (May 10)
- Re: wmon16.exe Peter Kosinar (May 10)
- Re: wmon16.exe Harlan Carvey (May 10)
- Re: wmon16.exe KUIJPERS Jimmy (May 10)
- Re: wmon16.exe Nick FitzGerald (May 10)
- RE: wmon16.exe Ken Dunham (May 11)
- <Possible follow-ups>
- RE: wmon16.exe Meidinger Chris (May 10)
- RE: wmon16.exe Levinson, Karl (May 10)
- RE: wmon16.exe lsi (May 11)
- Re: wmon16.exe Willem Tahon (May 11)
- Re: wmon16.exe Nick FitzGerald (May 11)
- RE: wmon16.exe lsi (May 11)
- Re: wmon16.exe Willem Tahon (May 11)