Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

New virus?

Status
Not open for further replies.
TechMC

TechMC

MIS
Dec 9, 2003
122
US
Hi Guys,

We have had a virus spreading on our network this morning that is undetectable by Symantec Anti-virus. We found out the following:

It adds a registry key in currentversion/run – wmplayer.exe

Adds a file wmplayer.exe in c:\windows\prefetch

Starts a process called wmplayer.exe

It opens random ports and listens for incoming connections

It sends out SYN packets to random ips on 10.0.x.x hoping for an acknowledgement (I think this is how it spreads)

It makes connections to websites, and opens sexeplorer/T.htm

It spread to a few machines before we can do anything...

Anyone have any idea which virus this is?

 
Sort by date Sort by votes
It looks like you may have a strain of Agobot aka Gaobot.
Take a look at these sites and see if any of them might be of help. There are so many different variants of this virus it is hard to pinpoint which exact strain it is.If not let us know.




You may also want to try out this tool from symantec but I know it does not get rid of all the strains of gaobot

If none of the above work try this

I hope this helps
Art
 
Upvote 0 Downvote
Looks like W32/Wallon.worm.a.

This worm spreads by sending a hyperlink via email to addresses harvested from the Windows Address Book (WAB). The worm contains its own SMTP engine and uses the default SMTP server specified in the Internet Account Manager.

Sent messages attempt to trick users in to following the hyperlink, which ultimately results in an infection. Through a series of redirected pages, the users is taken to a site that contain Internet Explorer exploit code, (this page exploits MS04-013 and is detected as Exploit-MhtRedir.gen ). This exploit downloads a CHM file, which contains another Internet Explorer exploit (targeting MS04-004 and is detected as VBS/Psyme ), which downloads a file and overwrites the existing wmplayer.exe file.

* %ProgramFiles%\Windows Media Player\wmplayer.exe

This file downloads and installs the Wallon worm.


More info at
"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."

"Trent the Uncatchable" in The Long Run by Daniel Keys Moran
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
304
Oorde
Oorde
andyv2011
  • Locked
  • Question
Looking at Virus Actions
Replies
0
Views
130
andyv2011
andyv2011
xit
  • Locked
  • News
New beta product from Malwarebytes 1
Replies
4
Views
211
kjv1611
kjv1611
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
194
goombawaho
goombawaho
kharrison70
  • Locked
  • Question
Meskisift Visaal Studie Virus? 6
Replies
6
Views
196
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top