Goverts IV, Paul
pgoverts at sjfc.edu
Thu Feb 26 14:54:32 GMT 2004
The winampa.exe file that I came across is only 32.5k. After we had
scanned the student's PC with Symantec Antivirus Corp. Edition and
removed a few other viruses, her PC continued to port scan 901. In
comparison, the "real" winampa.exe file is located in c:\program
files\winamp\winampa.exe, is 33k, which is similar. The "fake"
winampa.exe is hidden in system32 and does not also have the winamp icon
embedded in it like the real one. I verified the behavior of this file
by copying it to and running it from an isolated test image. The second
I executed this winampa.exe file it moved it to the system32 folder and
started 901/tcp scans. The latest 02/25 Symantec updated defs still do
not detect it.
Paul Goverts IV
St. John Fisher College
Rochester, NY 14618
From: Brian Eckman [mailto:eckman at umn.edu]
Sent: Wednesday, February 25, 2004 2:17 PM
To: Jeff Nagel
Cc: unisog at sans.org
Subject: Re: [unisog] Virus?
Jeff Nagel wrote:
> We have run across this on probably close to 50 machines. A Norton
> identifies this as Gaobot.gen but does not do anything with it. We
> been manually removing it using the instructions I posted below with
> addition that you must boot into safe mode otherwise you can't delete
> files since they are in use.
Are you sure you and Paul are talking about the same thing? Yes, many
variants of Gaobot use that file name, but I've never seen any of the
variants be that small, nor have I seen them scanning for 901/tcp. Can
you confirm that your infections have exhibited this behavior? Or did
they just have the same file name?
I suspect what Paul is reporting is not Gaobot, but I could be wrong.
I've seen at least 10 variants of Gaobot on campus, and have submitted
at least 8 new ones to Symantec that they had not detected at the time,
and I have yet to see one scanning 901/tcp.
More information about the unisog