Security Incidents: RE: wmon16.exe

["Levinson, Karl" <Karl.Levinson () dhs gov>]

First, you want to immediately submit that file to your anti-virus vendor,
using the virus sample submission instructions on their web site.  I think
this is wise even if this file is unrelated to your hosts file being edited.


Google gives zero hits on the file name wmon16.exe, which unscientifically
suggests this is probably not a normal file.

If you wanted to know immediately what that file does, you could try running
it on an isolated test machine with Filemon, Regmon, and/or Process Explorer
free from www.sysinternals.com, Ethereal sniffer, etc.  Other good
suggestions as to what you might optionally consider doing can be found by
searching previous posts to this question on this list.  None of this is a
good replacement for also getting your anti-virus vendor to detect, name and
remove it, however.

 

> -----Original Message-----
> From: Jason High [mailto:strongcypher () hotmail com] 
> Sent: Monday, May 10, 2004 9:03 AM
> To: incidents () securityfocus com
> Subject: wmon16.exe
>
>
> I believe that I have a HUGE problem, and I can't find 
> anything anywhere.  
> Here are our symptoms:
>
> - C:\winnt\system32\wmon16.exe appeared and began running (no 
> idea what it 
> is or does)
> - hosts file was altered to redirect antivirus sites to 
> 127.0.0.1 (similar 
> to Trojan.QHOST but nothing else matches
> - disables antivirus
> - creates lots of connections to network computers using 
> microsoft-ds and 
> netbios ports
>
> I am completely lost.  No removal tools have worked, no A/V 
> is picking it 
> up.  I've got about four hosts with these symptoms (so far) 
> and I'm just 
> unplugging network cables at this point.  Anyone with any pointers?
---------------------------------------------------------------------------
----------------------------------------------------------------------------