Security Incidents: Re: wmon16.exe

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: wmon16.exe

From: Peter Kosinar <goober () ksp sk>
Date: Mon, 10 May 2004 17:11:12 +0200 (CEST)

- C:\winnt\system32\wmon16.exe appeared and began running (no idea what it 
is or does)
- hosts file was altered to redirect antivirus sites to 127.0.0.1 (similar 
to Trojan.QHOST but nothing else matches
- disables antivirus
- creates lots of connections to network computers using microsoft-ds and 
netbios ports


Might be a variant of Ago/Gao-bot. Could you provide the executable ?

Your sincerely,

Peter Kosinar



---------------------------------------------------------------------------
----------------------------------------------------------------------------

By Date By Thread

Current thread:

wmon16.exe Jason High (May 10)
- Re: wmon16.exe Peter Kosinar (May 10)
- Re: wmon16.exe Harlan Carvey (May 10)
- Re: wmon16.exe KUIJPERS Jimmy (May 10)
- Re: wmon16.exe Nick FitzGerald (May 10)
  - RE: wmon16.exe Ken Dunham (May 11)
- <Possible follow-ups>
- RE: wmon16.exe Meidinger Chris (May 10)