Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: MS06-040 wgareg / wgavm update SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS06-040 wgareg / wgavm update
We have received samples and infection reports from several sources. It looks like there are so far two different binaries involved:

9928a1e6601cf00d0b7826d13fb556f0  wgareg.exe
2bf2a4f0bdac42f4d6f8a062a7206797  wgavm.exe

The former, wgareg.exe, apparently shows up simply as ".exe" (blank-dot-exe) on infected systems and only later gets renamed or copied to wgareg.exe.  AV protection is slowly coming online, here's a few of the names chosen:
Symantec - W32.Wargbot - not yet in the current pattern
TrendMicro - Worm.IRCBOT.JK and JL - protection available
McAfee - IRC.Mocbot - protection as extra.dat available
F-Secure - IRCBOT-ST - protection available

We'll update this post as more information becomes available.


367 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!