[unisog] Virus?

Hasan Khalil Hasan.Khalil at uconn.edu
Wed Feb 25 18:29:25 GMT 2004


I've seen numerous instances of the exact same thing (winampa.exe, port 
901 scans) here on UConn's ResNet.

Hasan Khalil
ResNet Security
University of Connecticut

Goverts IV, Paul wrote:
> This may or may not be related - this morning I found a (hidden) file
> named winampa.exe under c:\windows\system32 on an XP Home PC.  Using the
> 2/24 defs, Symantec Antivirus is unable to identify it as anything.  It
> is a 32.5k file, which appears to have been port-scanning machines on
> Port 901 (Samba Swat) - has anyone seen this before?  We were able to
> successfully shut down the service and removed the file.
> 
> Paul Goverts IV
> Computer Services
> St. John Fisher College
> Rochester, NY 14618
> 
> -----Original Message-----
> From: Brian Eckman [mailto:eckman at umn.edu] 
> Sent: Wednesday, February 18, 2004 2:36 PM
> To: Jeff Nagel
> Cc: unisog at sans.org
> Subject: Re: [unisog] Virus?
> 
> Jeff Nagel wrote:
> 
>>Here is what I found after spending some time with an infected
> 
> machine.  In
> 
>>C:\Winnt\System32 there are two files, winampa.exe and
> 
> winampa.exe.poly
> 
>>which are both 226K.  There is also a service installed called Win
> 
> leoahder.
> 
>>In the registry in HKLM\Software\Microsoft\Windows\Current Version\Run
> 
> and
> 
>>Run Services there is a key named win leoahder.  I deleted the two
> 
> registry
> 
>>keys and the two files and I was able run regedit as well Norton. Not
> 
> sure
> 
>>if this was a virus a worm or some spyware.
> 
> 
> It's a new variant of Gaobot. I sent one in to Symantec today. It should
> 
> be in their definitions tomorrow.
> 
> When I deleted the two registry entries and rebooted (using a lab 
> machine), it put the registry entires back before the reboot occured, so
> 
> I was not able to remove it via that method. I was not able to end 
> process on the winampa.exe process (access denied error), and was not 
> able to manually stop the Service either (access denied error).
> 
> Just a note: If you nmap a machine that has Gaobot (or you suspect has 
> Gaobot), try telnetting to any obscure high numbered open port that you 
> find. Typically, a machine infected with Gaobot will have one of the 
> open ports throw a binary stream at you upon connecting to it. I use 
> netcat to connect to that port and output the stream to a file (nc -v 
> ip.address.here port > bot.exe). Then I open that file in a hex editor 
> and remove the first four bytes, and save it. That gives me a working 
> copy of the Gaobot worm that host is infected with.
> 
> Another random port that is opened by Gaobot will return a "220 Welcome 
> to the Bot FTP Service" or something just like that.
> 
> I have recently noticed that several variants of Gaobot (including the 
> one that you mention) were trying to access 10.0.1.128:6667. That IP 
> address isn't in use on our network (it might be a lookup for an old IRC
> 
> server at lar.ath.cx). Might be one way to look for more Gaobot 
> infections on your campus.
> 
> 
> Brian
> 



More information about the unisog mailing list