In cleaning up two Wh0is infected (and re-infected) machines, I noticed
some new behavior that I thought might be useful. I've submitted the new
files/folders to Stefanie and I'm sure she'll let us know if she hears
Both of these machines had a folder at the root of the drive
called "windows". There were 3 other folders within containing batch files,
dll and other file types (windows\system32\drivers\randfiles). The
windows.exe file lived there, as well as alone at the root of the user
I found no instance of the wh0is.exe file on these machines, but did find a
registry reference in all user accounts. The windows.exe file is all over
the registry so it pays to do at least two searches in each user account.
Symantec identified the windows.exe file as W32.HLLW.Ssdx and Stinger as
The mech.exe file was at the root of the user directory. The Msdos.exe file
was in the Winnt\system32 folder along with its registry entries in all of
the usual places.
The other oddity was found in the Event Viewer. Along with the system,
security and application listings, was an “extra” one called IExplore.
There was nothing in this log. It didn't seem to correspond to IE being
open. I don’t know if this is related to the virus, but thought it worth
CAS IT Assistant