Stefanie Ploof writes:
The common file found we have
found on the
infected Windows machines analyzed so far was wmediaplayer.exe with a
modified date of 10/7/2004. This file is not detected by Symantec or
Housecall. The file was located in C:\WINNT and C:\WINNT\SYSTEM32 on
the infected Windows 2000 computers that were analyzed. This file
infected the computers through an unknown vector, possibly through a
network share. Symantec has determined the file
is infected with W32.HLLW.Gaobot, even though a scan of the individual
file by the Symantec Antivirus workstation program did not conclude
this.
Other common behaviors of a computer infected with whatever
wmediaplayer.exe actually is infected with: odd mouse movement (mouse
pointer jumps around), slow network activity witnessed before the
address was turned off, -and- general machine lethargy.
Because the infected computers were actively attempting to log into
servers, this action is considered an "external" complaint, so Network
Services has blocked the following IPs at the router:
132.198.70.81
132.198.84.202
132.198.105.182
132.198.119.82
132.198.124.166
132.198.147.124
132.198.147.148
132.198.106.117
132.198.176.139
132.198.176.28
132.198.176.45
132.198.176.83
132.198.177.161
132.198.182.33
132.198.182.99
132.198.188.38
132.198.213.55
132.198.220.101
132.198.220.104
132.198.220.106
132.198.227.189
132.198.228.85
132.198.228.88
132.198.229.83
132.198.231.10
132.198.232.234
132.198.233.129
132.198.233.193
132.198.241.229
132.198.244.197
132.198.246.223
132.198.252.92
If you are the IT person for any of the given IP's please consider this
as a possible reason why one of your end users is unable to connect to
the Internet. In order to quickly get this information to you, I am
only posting the IP addresses, no information about the users of the IP
addresses has been collected yet. Please contact me directly with IP's
you are concerned about.
I consider it acceptable if the computer is booted into safe mode, wmediaplayer.exe file is deleted from the Windows directory (C:\WINNT or C:\WINDOWS) and from the System32 directory (C:\WINNT\SYSTEM32 or C:\WINDOWS\SYSTEM32), all registry entries referring to wmediaplayer.exe are removed (use the Find menu option), the offline and online Internet files are deleted, and all accounts on the computer have been given a strong/non-weak password. This course of action worked to clean several computers so far. If you have taken these actions on a computer that was infected please notify me of which IPs you cleaned so that they can be enabled.
I will post follow-up information as I have it available.
Thanks, everyone.
Stefanie
Please see messages posted to the IT-Discuss listserv for further information.