[unisog] Virus?

Brian Eckman eckman at umn.edu
Wed Feb 25 19:16:48 GMT 2004

Jeff Nagel wrote:
> We have run across this on probably close to 50 machines.  A Norton scan
> identifies this as Gaobot.gen but does not do anything with it.  We have
> been manually removing it using the instructions I posted below with the
> addition that you must boot into safe mode otherwise you can't delete the
> files since they are in use.  


Are you sure you and Paul are talking about the same thing? Yes, many 
variants of Gaobot use that file name, but I've never seen any of the 
variants be that small, nor have I seen them scanning for 901/tcp. Can 
you confirm that your infections have exhibited this behavior? Or did 
they just have the same file name?

I suspect what Paul is reporting is not Gaobot, but I could be wrong. 
I've seen at least 10 variants of Gaobot on campus, and have submitted 
at least 8 new ones to Symantec that they had not detected at the time, 
and I have yet to see one scanning 901/tcp.


> -----Original Message-----
> From: Goverts IV, Paul [mailto:pgoverts at sjfc.edu] 
> Sent: Wednesday, February 25, 2004 11:22 AM
> To: unisog at sans.org
> Subject: RE: [unisog] Virus?
> This may or may not be related - this morning I found a (hidden) file
> named winampa.exe under c:\windows\system32 on an XP Home PC.  Using the
> 2/24 defs, Symantec Antivirus is unable to identify it as anything.  It
> is a 32.5k file, which appears to have been port-scanning machines on
> Port 901 (Samba Swat) - has anyone seen this before?  We were able to
> successfully shut down the service and removed the file.
> Paul Goverts IV
> Computer Services
> St. John Fisher College
> Rochester, NY 14618


Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

More information about the unisog mailing list