Security Incidents mailing list archives
RE: wmon16.exe
From: "Levinson, Karl" <Karl.Levinson () dhs gov>
Date: Mon, 10 May 2004 11:28:53 -0400
First, you want to immediately submit that file to your anti-virus vendor, using the virus sample submission instructions on their web site. I think this is wise even if this file is unrelated to your hosts file being edited. Google gives zero hits on the file name wmon16.exe, which unscientifically suggests this is probably not a normal file. If you wanted to know immediately what that file does, you could try running it on an isolated test machine with Filemon, Regmon, and/or Process Explorer free from www.sysinternals.com, Ethereal sniffer, etc. Other good suggestions as to what you might optionally consider doing can be found by searching previous posts to this question on this list. None of this is a good replacement for also getting your anti-virus vendor to detect, name and remove it, however.
-----Original Message----- From: Jason High [mailto:strongcypher () hotmail com] Sent: Monday, May 10, 2004 9:03 AM To: incidents () securityfocus com Subject: wmon16.exe I believe that I have a HUGE problem, and I can't find anything anywhere. Here are our symptoms: - C:\winnt\system32\wmon16.exe appeared and began running (no idea what it is or does) - hosts file was altered to redirect antivirus sites to 127.0.0.1 (similar to Trojan.QHOST but nothing else matches - disables antivirus - creates lots of connections to network computers using microsoft-ds and netbios ports I am completely lost. No removal tools have worked, no A/V is picking it up. I've got about four hosts with these symptoms (so far) and I'm just unplugging network cables at this point. Anyone with any pointers?
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- wmon16.exe Jason High (May 10)
- Re: wmon16.exe Peter Kosinar (May 10)
- Re: wmon16.exe Harlan Carvey (May 10)
- Re: wmon16.exe KUIJPERS Jimmy (May 10)
- Re: wmon16.exe Nick FitzGerald (May 10)
- RE: wmon16.exe Ken Dunham (May 11)
- <Possible follow-ups>
- RE: wmon16.exe Meidinger Chris (May 10)
- RE: wmon16.exe Levinson, Karl (May 10)
- RE: wmon16.exe lsi (May 11)
- Re: wmon16.exe Willem Tahon (May 11)
- Re: wmon16.exe Nick FitzGerald (May 11)
- RE: wmon16.exe lsi (May 11)
- Re: wmon16.exe Willem Tahon (May 11)