suspicious uploading

[TEDWANG]

Hello virus experts, I noticed recently that every time when I dial up to
the internet, even while idle, something is being continuously sending out
(uploading). This problem doesn't show up in my 2nd PC which uses the same
dialer software from my ISP. I have checked it with Norton Antivirus and
Spybot S&D, but nothing shows up. How can I find out what program/process
is using the internet connection and transmitting TCP/IP packets out. Or is
this a new virus?

Thanks in advance.

TW

 

[Nick FitzGerald]

Hello virus experts, I noticed recently that every time when I dial up to
the internet, even while idle, something is being continuously sending out
(uploading). This problem doesn't show up in my 2nd PC which uses the same
dialer software from my ISP. I have checked it with Norton Antivirus and
Spybot S&D, but nothing shows up. How can I find out what program/process
is using the internet connection and transmitting TCP/IP packets out. Or is
this a new virus?

What OS is this??

 

[null]

Hello virus experts, I noticed recently that every time when I dial up to
the internet, even while idle, something is being continuously sending out
(uploading). This problem doesn't show up in my 2nd PC which uses the same
dialer software from my ISP. I have checked it with Norton Antivirus and
Spybot S&D, but nothing shows up. How can I find out what program/process
is using the internet connection and transmitting TCP/IP packets out. Or is
this a new virus?

Useful tools for tracking down this sort of thing include:
1. Netstat -an (built into Windows)
2. TCP/IP monitors. The use of one of the free personal firewalls to
identify an app trying to go outbound is often sufficient.
3. Running process monitors.
4. Startup axis monitors which display several often used registry
keys and the contents of other startup files.

Check out KAV's Trojan_Finder (link at my web site) which covers both
3. and 4. in one utility. I suggest downloading Sygate PF if you
presently don't have a personal firewall.


Art
http://www.epix.net/~artnpeg

 

[Duane Arnold]

Hello virus experts, I noticed recently that every time when I dial up
to the internet, even while idle, something is being continuously
sending out (uploading). This problem doesn't show up in my 2nd PC
which uses the same dialer software from my ISP. I have checked it
with Norton Antivirus and Spybot S&D, but nothing shows up. How can I
find out what program/process is using the internet connection and
transmitting TCP/IP packets out. Or is this a new virus?

Thanks in advance.

TW

You can download Ultra Network Sniffer 20 day full trial period and see
what is happening with the packets. TCPview will tell you what is running
on the machine and what ports are being used. TCPview is free.

You can use Google to find the software

Duane

 

[TEDWANG]

Thank you Art for your suggestions. I have downloaded the Sygate PF and found out my Window's LSASS.EXE have been tampered with. Actually I've been attacked (not sure if it's a virus) by a hacker who created a directory in my C:\WINNT\system32\drivers\disdn and put a whole buch of programs there, one of them being named LSASS.EXE, and was invoked upon every system startup.

When I back traced the IP, this modified LSASS.EXE was trying to connect to l4fservegame.com [IP: 1.2.3.4] and printed out this information:

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 1.0.0.0 - 1.255.255.255
CIDR: 1.0.0.0/8
NetName: RESERVED-9
NetHandle: NET-1-0-0-0-1
Parent:
NetType: IANA Reserved
Comment:
RegDate:
Updated: 2002-09-12

OrgTechHandle: IANA-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-823-9358
OrgTechEmail: (e-mail address removed)

# ARIN WHOIS database, last updated 2003-08-10 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

And when I tried to poke around the files in that directory, I could only make out that someone is trying to use my computer to connect to an IRC or instant messaging type server.

I wonder why Norton AV and Spybot couldn't detect this.

Thanks for the help, I think I will reformat my hard drive to wipe out all left overs.

TW

 

[null]

Thank you Art for your suggestions.
I have downloaded the Sygate PF and found out
my Window's LSASS.EXE have been tampered with.
Actually I've been attacked (not sure if it's a virus)
by a hacker who created a directory in my
C:\WINNT\system32\drivers\disdn and put a whole
buch of programs there, one of them being named
LSASS.EXE, and was invoked upon every system startup.

When I back traced the IP, this modified LSASS.EXE
was trying to connect to l4fservegame.com [IP: 1.2.3.4]
????

and printed out this information:

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 1.0.0.0 - 1.255.255.255
CIDR: 1.0.0.0/8
NetName: RESERVED-9
NetHandle: NET-1-0-0-0-1
Parent:
NetType: IANA Reserved
Comment:
RegDate:
Updated: 2002-09-12

OrgTechHandle: IANA-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-823-9358
OrgTechEmail: (e-mail address removed)

# ARIN WHOIS database, last updated 2003-08-10 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

And when I tried to poke around the files in that directory, I could
only make out that someone is trying to use my computer to connect
to an IRC or instant messaging type server.

I wonder why Norton AV and Spybot couldn't detect this.

Thanks for the help, I think I will reformat my hard drive to wipe out all left overs.

You might want to wait to see if Nick F. has anything to say. I did
some Googling on LSASS.EXE and found some discussions and speculations
which Nick was involved with concerning a possible new malware along
the lines of Kaiten or Devnull:
http://www.f-secure.com/v-descs/devnull.shtml

Have you considered uploading the modified LSASS.EXE file (and perhpas
other suspect files) for av scanning by other vendors? In particular,
I suggest KAV:
http://www.kaspersky.com/remoteviruschk.html

In any event, you should never conclude that the malware is "unknown"
simply because one av product didn't detect it.

Art
http://www.epix.net/~artnpeg