This looks like the same thing we got hit w/ about 6 months ago. It was a
variant of Gaobot, Gaobot.AFJ.
At the time, the code was written so that it was only hitting .EDU domains,
so it was pretty low on Symantec and other major AV vendors' radar. We had
to do manual cleaning.
If that is what it is, check C:\ for oddly named .exe files. They are
obvious when you see them, but they are encrypted copies of the virus. Also,
check your services. Our Gaobot installed itself as a service which would
reinstall itself from the encrypted .exe files on C:\
Thank you for posting this script. I am definitely going to save it as it
looks like a solid little cleaning script for this type of machine
infection. At my .edu we had to deal with a *lot* of these gaobot variants
last year. If this happens again, this script will be quite useful.
-----Original Message-----
From: Eric Stevenson [mailto:EStevenson@suz.com]
Sent: Friday, August 27, 2004 2:46 PM
To: 'focus-virus@securityfocus.org'
Subject: FW: system32\winamp.exe
winamp.exe has been appearing in a few of our workstations system32 dir. ive
attached a copy of the exe renamed to .too ..
it creates a few reg keys and starts itself at boot. mysteriously, at the
same time some of our domain users accounts are being locked out. i turned
on account logon failure auditing and it appears to be attempting to brute
force our domain.
im hoping someone here may have some more info..
thanks
e-
pasted below is a .vbs that deletes it from a system. im not a good .vbs
coder so sorry its so sloppy =p
' script designed to clean winamp virus
' 8.26.04 -- estevenson@suz.com
On Error Resume Next
' declare vars
dim WsShell, key, key2, strComputerName, strWinMgt, procName, host, hosts
strComputerName = "."
strWinMgt = "winmgmts://" & strComputerName & ""
' create objects
Set WshShell = WScript.CreateObject("WScript.Shell")
Set Processes = GetObject(strWinMgt).ExecQuery("select * from
Win32_Process") Set fso = CreateObject("Scripting.FileSystemObject")
' set values
key = "HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run\Winamp"
key2 = "HKLM\SOFTWARE\MICROSOFT\Windows\CurrentVersion\RunServices\Winamp"
procName = "winamp.exe"
host = "c:\winnt\i386\hosts"
hosts = "c:\winnt\system32\drivers\etc\hosts"
virusEXE = "c:\winnt\system32\winamp.exe"
return = msgbox ("Click OK to install the the current version of WSH." &
vbcrlf & vbcrlf _
& " You may click cancel if you have already
performed this step. " _
& vbcrlf & " After installing WSH, click yes to
reboot and restart in safe mode." _
& vbcrlf & " From safe mode, please run
F:\ADMIN\UTILS\scripts\vbs\killWinAmp.vbs", vbYesNo + _
vBinformation, "Click yes to install WSH") if
(return = vbYEs) then
wshEXE ="F:\ADMIN\UTILS\scripts\vbs\scripten.exe /q"
DIM objShell
set objShell = wscript.createObject("wscript.shell")
iReturn = objShell.Run(wshEXE)
end if
' loop through the process and kill procName for each Process in Processes
if (procName = Process.caption) Then
RetVal = Process.Terminate(0)
if (RetVal <> 0) then
' cant kill the process
MsgBox "Unable to terminate the process. Please
restart the computer in safe mode and run this script", vbokonly +
vbcritical, "An Error Has Occured"
end if
end if
next
' kill the reg keys
WshShell.RegDelete key
WshShell.RegDelete key2
' kill the host file
Set aFile = fso.GetFile(host)
aFile.Delete
Set aFile = fso.GetFile(hosts)
aFile.Delete
Set aFile = fso.GetFile(virusEXE)
aFile.Delete
msgbox "Done!", ,"Suzuki IT"
