[unisog] Virus?

Goverts IV, Paul pgoverts at sjfc.edu
Wed Feb 25 17:22:09 GMT 2004


This may or may not be related - this morning I found a (hidden) file
named winampa.exe under c:\windows\system32 on an XP Home PC.  Using the
2/24 defs, Symantec Antivirus is unable to identify it as anything.  It
is a 32.5k file, which appears to have been port-scanning machines on
Port 901 (Samba Swat) - has anyone seen this before?  We were able to
successfully shut down the service and removed the file.

Paul Goverts IV
Computer Services
St. John Fisher College
Rochester, NY 14618

-----Original Message-----
From: Brian Eckman [mailto:eckman at umn.edu] 
Sent: Wednesday, February 18, 2004 2:36 PM
To: Jeff Nagel
Cc: unisog at sans.org
Subject: Re: [unisog] Virus?

Jeff Nagel wrote:
> Here is what I found after spending some time with an infected
machine.  In
> C:\Winnt\System32 there are two files, winampa.exe and
winampa.exe.poly
> which are both 226K.  There is also a service installed called Win
leoahder.
> In the registry in HKLM\Software\Microsoft\Windows\Current Version\Run
and
> Run Services there is a key named win leoahder.  I deleted the two
registry
> keys and the two files and I was able run regedit as well Norton. Not
sure
> if this was a virus a worm or some spyware.

It's a new variant of Gaobot. I sent one in to Symantec today. It should

be in their definitions tomorrow.

When I deleted the two registry entries and rebooted (using a lab 
machine), it put the registry entires back before the reboot occured, so

I was not able to remove it via that method. I was not able to end 
process on the winampa.exe process (access denied error), and was not 
able to manually stop the Service either (access denied error).

Just a note: If you nmap a machine that has Gaobot (or you suspect has 
Gaobot), try telnetting to any obscure high numbered open port that you 
find. Typically, a machine infected with Gaobot will have one of the 
open ports throw a binary stream at you upon connecting to it. I use 
netcat to connect to that port and output the stream to a file (nc -v 
ip.address.here port > bot.exe). Then I open that file in a hex editor 
and remove the first four bytes, and save it. That gives me a working 
copy of the Gaobot worm that host is infected with.

Another random port that is opened by Gaobot will return a "220 Welcome 
to the Bot FTP Service" or something just like that.

I have recently noticed that several variants of Gaobot (including the 
one that you mention) were trying to access 10.0.1.128:6667. That IP 
address isn't in use on our network (it might be a lookup for an old IRC

server at lar.ath.cx). Might be one way to look for more Gaobot 
infections on your campus.


Brian

-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota


"There are 10 types of people in this world. Those who
understand binary and those who don't."



More information about the unisog mailing list