[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-virus
Subject:    RE: system32\winamp.exe
From:       "Jeremy Pollack" <jpollack () bigfoot ! com>
Date:       2004-08-28 2:06:35
Message-ID: 20040828020635.IYVO4754.lakermmtao04.cox.net () hermes
[Download RAW message or body]

This looks like the same thing we got hit w/ about 6 months ago. It was a
variant of Gaobot, Gaobot.AFJ.

At the time, the code was written so that it was only hitting .EDU domains,
so it was pretty low on Symantec and other major AV vendors' radar. We had
to do manual cleaning. 

If that is what it is, check C:\ for oddly named .exe files. They are
obvious when you see them, but they are encrypted copies of the virus. Also,
check your services. Our Gaobot installed itself as a service which would
reinstall itself from the encrypted .exe files on C:\

Thank you for posting this script. I am definitely going to save it as it
looks like a solid little cleaning script for this type of machine
infection. At my .edu we had to deal with a *lot* of these gaobot variants
last year. If this happens again, this script will be quite useful.

-----Original Message-----
From: Eric Stevenson [mailto:EStevenson@suz.com] 
Sent: Friday, August 27, 2004 2:46 PM
To: 'focus-virus@securityfocus.org'
Subject: FW: system32\winamp.exe

 

winamp.exe has been appearing in a few of our workstations system32 dir. ive
attached a copy of the exe renamed to .too ..


it creates a few reg keys and starts itself at boot. mysteriously, at the
same time some of our domain users accounts are being locked out. i turned
on account logon failure auditing and it appears to be attempting to brute
force our domain.


im hoping someone here may have some more info.. 

thanks 

e- 



pasted below is a .vbs that deletes it from a system. im not a good .vbs
coder so sorry its so sloppy =p

' script designed to clean winamp virus

' 8.26.04 -- estevenson@suz.com

On Error Resume Next

' declare vars
dim WsShell, key, key2, strComputerName, strWinMgt, procName, host, hosts
strComputerName = "."
strWinMgt = "winmgmts://" & strComputerName & ""

' create objects
Set WshShell = WScript.CreateObject("WScript.Shell")
Set Processes = GetObject(strWinMgt).ExecQuery("select * from
Win32_Process") Set fso = CreateObject("Scripting.FileSystemObject")

' set values
key = "HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\Winamp"
key2 = "HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\RunServices\Winamp"

procName = "winamp.exe"
host = "c:\winnt\i386\hosts"
hosts = "c:\winnt\system32\drivers\etc\hosts"
virusEXE = "c:\winnt\system32\winamp.exe"

return = msgbox ("Click OK to install the the current version of WSH." &
vbcrlf & vbcrlf _
			 & " You may click cancel if you have already
performed this step. " _
			& vbcrlf & " After installing WSH, click yes to
reboot and restart in safe mode." _
			& vbcrlf & " From safe mode, please run
F:\ADMIN\UTILS\scripts\vbs\killWinAmp.vbs", vbYesNo + _
			 vBinformation, "Click yes to install WSH") if
(return = vbYEs) then
	wshEXE ="F:\ADMIN\UTILS\scripts\vbs\scripten.exe /q"
	DIM objShell
	set objShell = wscript.createObject("wscript.shell")
	iReturn = objShell.Run(wshEXE)
end if

' loop through the process and kill procName for each Process in Processes
	if (procName = Process.caption) Then
		  RetVal = Process.Terminate(0)
		  if (RetVal <> 0) then
			' cant kill the process 
			MsgBox "Unable to terminate the process. Please
restart the computer in safe mode and run this script", vbokonly +
vbcritical, "An Error Has Occured"

	           end if
	end if	
next

' kill the reg keys
WshShell.RegDelete key
WshShell.RegDelete key2

' kill the host file

Set aFile = fso.GetFile(host)
aFile.Delete

Set aFile = fso.GetFile(hosts)
aFile.Delete

Set aFile = fso.GetFile(virusEXE)
aFile.Delete

msgbox "Done!", ,"Suzuki IT"

[prev in list] [next in list] [prev in thread] [next in thread]