Goverts IV, Paul
pgoverts at sjfc.edu
Wed Feb 25 17:22:09 GMT 2004
This may or may not be related - this morning I found a (hidden) file
named winampa.exe under c:\windows\system32 on an XP Home PC. Using the
2/24 defs, Symantec Antivirus is unable to identify it as anything. It
is a 32.5k file, which appears to have been port-scanning machines on
Port 901 (Samba Swat) - has anyone seen this before? We were able to
successfully shut down the service and removed the file.
Paul Goverts IV
St. John Fisher College
Rochester, NY 14618
From: Brian Eckman [mailto:eckman at umn.edu]
Sent: Wednesday, February 18, 2004 2:36 PM
To: Jeff Nagel
Cc: unisog at sans.org
Subject: Re: [unisog] Virus?
Jeff Nagel wrote:
> Here is what I found after spending some time with an infected
> C:\Winnt\System32 there are two files, winampa.exe and
> which are both 226K. There is also a service installed called Win
> In the registry in HKLM\Software\Microsoft\Windows\Current Version\Run
> Run Services there is a key named win leoahder. I deleted the two
> keys and the two files and I was able run regedit as well Norton. Not
> if this was a virus a worm or some spyware.
It's a new variant of Gaobot. I sent one in to Symantec today. It should
be in their definitions tomorrow.
When I deleted the two registry entries and rebooted (using a lab
machine), it put the registry entires back before the reboot occured, so
I was not able to remove it via that method. I was not able to end
process on the winampa.exe process (access denied error), and was not
able to manually stop the Service either (access denied error).
Just a note: If you nmap a machine that has Gaobot (or you suspect has
Gaobot), try telnetting to any obscure high numbered open port that you
find. Typically, a machine infected with Gaobot will have one of the
open ports throw a binary stream at you upon connecting to it. I use
netcat to connect to that port and output the stream to a file (nc -v
ip.address.here port > bot.exe). Then I open that file in a hex editor
and remove the first four bytes, and save it. That gives me a working
copy of the Gaobot worm that host is infected with.
Another random port that is opened by Gaobot will return a "220 Welcome
to the Bot FTP Service" or something just like that.
I have recently noticed that several variants of Gaobot (including the
one that you mention) were trying to access 10.0.1.128:6667. That IP
address isn't in use on our network (it might be a lookup for an old IRC
server at lar.ath.cx). Might be one way to look for more Gaobot
infections on your campus.
OIT Security and Assurance
University of Minnesota
"There are 10 types of people in this world. Those who
understand binary and those who don't."
More information about the unisog