Security Incidents mailing list archives
RE: wmon16.exe
From: "lsi" <stuart () cyberdelix net>
Date: Tue, 11 May 2004 08:41:40 +0100
Sorry, I forgot to mention - if you disinfect manually (kill the process, remove the startup key), there's one more step - delete the EXE You need to repeat for each dodgy EXE on the system. I use TaskInfo to see a process list (it's much better than the inbuilt process lister). And I use SmartStart to show me startup keys in the registry (not Regedit). And, I use Total Commander for file management (it runs rings around Windows Explorer). And finally - I happened to notice that whatever had infected my user's system appeared to have made a copy of his profile directory (from c:\documents and settings) and placed it in c:\windows\system32\local settings (or something). It could have been the user who did this, so I wasn't sure - but the IE cache directories in that copy of his profile contained additional, inactive copies of AVSERVE.EXE and AVSERVE2.EXE, which were detected by the full system scan with the AV tool (after I had repaired it). Stu On 11 May 2004 at 8:26, incidents () securityfocus com wrote: From: lsi <stuart () cyberdelix net> To: incidents () securityfocus com Subject: RE: wmon16.exe Copies to: strongcypher () hotmail com Send reply to: stuart () cyberdelix net Date sent: Tue, 11 May 2004 08:26:31 +0100
Hey, I saw this too HOSTS file had a bunch of AV sites pointing to 127.0.0.1 The name of my mystery file was WINDRV32.EXE I think - 3k Once I got the AV working and updated, it detected GAObot and Sasser on the machine - the HOSTS file itself then caused an alert from Norton - not sure whether it called it GAOBot or Sasser. The machine was infected with AVSERVE.EXE *and* AVSERVE2.EXE - both were running full tilt when I arrived. The machine was on a broadband connection and had no firewall enabled. So I concluded it was a 'spyware hotel' ... and attacked it in Safe Mode with System Restore turned off. At this point I wasn't too methodical and trashed anything that looked out of the ordinary. I also run Ad-Aware and had that trash it some more. Then I rebooted, updated AV and had it scan the whole system, find Sasser and GAObot on the system, and trash them. Norton did NOT alert on the 3k WINDRV32.EXE file, though. I concluded it was a dropper of some description. I wanted to keep it, but - well actually I have seen a bunch of weird EXEs "in my time", and one more is not such a big deal. Note: you sound like you're depending on an AV tool. Just look at the process list manually. Have a known-clean machine next to you so you can compare the process lists if you need to. Then you can see the malware right there. Kill the process. Remove the startup registry key. AV tool not necessary. Stu On 10 May 2004 at 11:28, Levinson, Karl wrote: From: "Levinson, Karl" <Karl.Levinson () dhs gov> To: "'Jason High'" <strongcypher () hotmail com>, incidents () securityfocus com Subject: RE: wmon16.exe Date sent: Mon, 10 May 2004 11:28:53 -0400First, you want to immediately submit that file to your anti-virus vendor, using the virus sample submission instructions on their web site. I think this is wise even if this file is unrelated to your hosts file being edited. Google gives zero hits on the file name wmon16.exe, which unscientifically suggests this is probably not a normal file. If you wanted to know immediately what that file does, you could try running it on an isolated test machine with Filemon, Regmon, and/or Process Explorer free from www.sysinternals.com, Ethereal sniffer, etc. Other good suggestions as to what you might optionally consider doing can be found by searching previous posts to this question on this list. None of this is a good replacement for also getting your anti-virus vendor to detect, name and remove it, however.-----Original Message----- From: Jason High [mailto:strongcypher () hotmail com] Sent: Monday, May 10, 2004 9:03 AM To: incidents () securityfocus com Subject: wmon16.exe I believe that I have a HUGE problem, and I can't find anything anywhere. Here are our symptoms: - C:\winnt\system32\wmon16.exe appeared and began running (no idea what it is or does) - hosts file was altered to redirect antivirus sites to 127.0.0.1 (similar to Trojan.QHOST but nothing else matches - disables antivirus - creates lots of connections to network computers using microsoft-ds and netbios ports I am completely lost. No removal tools have worked, no A/V is picking it up. I've got about four hosts with these symptoms (so far) and I'm just unplugging network cables at this point. Anyone with any pointers?--------------------------------------------------------------------------- ----------------------------------------------------------------------------
--- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192.168.0.2) --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: wmon16.exe, (continued)
- Re: wmon16.exe Peter Kosinar (May 10)
- Re: wmon16.exe Harlan Carvey (May 10)
- Re: wmon16.exe KUIJPERS Jimmy (May 10)
- Re: wmon16.exe Nick FitzGerald (May 10)
- RE: wmon16.exe Ken Dunham (May 11)
- RE: wmon16.exe Meidinger Chris (May 10)
- RE: wmon16.exe Levinson, Karl (May 10)
- RE: wmon16.exe lsi (May 11)
- Re: wmon16.exe Willem Tahon (May 11)
- Re: wmon16.exe Nick FitzGerald (May 11)
- RE: wmon16.exe lsi (May 11)
- Re: wmon16.exe Willem Tahon (May 11)