RE: wmon16.exe

["lsi" <stuart () cyberdelix net>]

Hey, I saw this too  

HOSTS file had a bunch of AV sites pointing to 127.0.0.1  

The name of my mystery file was WINDRV32.EXE  I think - 3k  

Once I got the AV working and updated, it detected GAObot and Sasser 
on the machine - the HOSTS file itself then caused an alert from 
Norton - not sure whether it called it GAOBot or Sasser.  

The machine was infected with AVSERVE.EXE *and* AVSERVE2.EXE - both 
were running full tilt when I arrived.  

The machine was on a broadband connection and had no firewall 
enabled.  So I concluded it was a 'spyware hotel' ... and attacked it 
in Safe Mode with System Restore turned off.  At this point I wasn't 
too methodical and trashed anything that looked out of the ordinary.  
I also run Ad-Aware and had that trash it some more. Then I rebooted, 
updated AV and had it scan the whole system, find Sasser and GAObot 
on the system, and trash them.  

Norton did NOT alert on the 3k WINDRV32.EXE file, though.  I 
concluded it was a dropper of some description.  I wanted to keep it, 
but - well actually I have seen a bunch of weird EXEs "in my time", 
and one more is not such a big deal.  

Note: you sound like you're depending on an AV tool.  Just look at 
the process list manually.  Have a known-clean machine next to you so 
you can compare the process lists if you need to.  Then you can see 
the malware right there.  Kill the process.  Remove the startup 
registry key.  AV tool not necessary.  

Stu

On 10 May 2004 at 11:28, Levinson, Karl wrote:

From:                   "Levinson, Karl" <Karl.Levinson () dhs gov>
To:                     "'Jason High'" <strongcypher () hotmail com>, incidents () securityfocus com
Subject:                RE: wmon16.exe
Date sent:              Mon, 10 May 2004 11:28:53 -0400

> First, you want to immediately submit that file to your anti-virus vendor,
> using the virus sample submission instructions on their web site.  I think
> this is wise even if this file is unrelated to your hosts file being edited.
>
>
> Google gives zero hits on the file name wmon16.exe, which unscientifically
> suggests this is probably not a normal file.
>
> If you wanted to know immediately what that file does, you could try running
> it on an isolated test machine with Filemon, Regmon, and/or Process Explorer
> free from www.sysinternals.com, Ethereal sniffer, etc.  Other good
> suggestions as to what you might optionally consider doing can be found by
> searching previous posts to this question on this list.  None of this is a
> good replacement for also getting your anti-virus vendor to detect, name and
> remove it, however.
>
>  
>
> > -----Original Message-----
> > From: Jason High [mailto:strongcypher () hotmail com] 
> > Sent: Monday, May 10, 2004 9:03 AM
> > To: incidents () securityfocus com
> > Subject: wmon16.exe
> >
> >
> > I believe that I have a HUGE problem, and I can't find 
> > anything anywhere.  
> > Here are our symptoms:
> >
> > - C:\winnt\system32\wmon16.exe appeared and began running (no 
> > idea what it 
> > is or does)
> > - hosts file was altered to redirect antivirus sites to 
> > 127.0.0.1 (similar 
> > to Trojan.QHOST but nothing else matches
> > - disables antivirus
> > - creates lots of connections to network computers using 
> > microsoft-ds and 
> > netbios ports
> >
> > I am completely lost.  No removal tools have worked, no A/V 
> > is picking it 
> > up.  I've got about four hosts with these symptoms (so far) 
> > and I'm just 
> > unplugging network cables at this point.  Anyone with any pointers?
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------



---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192.168.0.2)


---------------------------------------------------------------------------
----------------------------------------------------------------------------