Security Incidents: Re: wmon16.exe

[Harlan Carvey <keydet89 () yahoo com>]

> I believe that I have a HUGE problem, and I can't
> find anything anywhere.  
> Here are our symptoms:
>
> - C:\winnt\system32\wmon16.exe appeared and began
> running (no idea what it is or does)
Is there a startup entry for wmon16.exe, either in the
Registry or StartUp folders?

Also, have you sent a copy of the file to your
anti-virus vendor?

> - hosts file was altered to redirect antivirus sites
> to 127.0.0.1 (similar 
> to Trojan.QHOST but nothing else matches
> - disables antivirus
What does?  wmon16.exe?  Are you sure?

> - creates lots of connections to network computers
> using microsoft-ds and netbios ports
What does?  wmon16.exe?  Have you used fport.exe or
openports.exe to confirm this?  Also, are these the
source or destination ports?

> I am completely lost.  No removal tools have worked,
> no A/V is picking it 
> up.  I've got about four hosts with these symptoms
> (so far) and I'm just 
> unplugging network cables at this point.  Anyone
> with any pointers?
A little digital detective work will help you tie the
symptoms to the file you found, if that is in fact the
case.  Kill the process, remove any Startup entries,
and restart a machine.  If the process returns, then
you need to dig deeper.

HTH,

Harlan


---------------------------------------------------------------------------
----------------------------------------------------------------------------