In alt.comp.virus, I.L.B. wrote:

Hi all
I am just experiencing a strange kind of infection I don't know wether is a
new worm or not, as I never seen it before. The situation is next:

- I am running a computer with both Win98 and XP installed.
- My Win98 session works OK
- When I start an XP session, and I do activate my network connection... I
start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
activity light is flickering like crazy... what happens??

Hub/router? Do you mean the DSL modem? It is neither a hub nor a
router. You should have a real router between the DSL modem and your
computer.

- I check the Status of the connection, and I see dozens of outbound packets
per second, and almost nothing incoming. Strange...

Ah. I'd bet that your computer is compromised and has become a zombie
for spammers. You are likely relaying spam. (Nearly 3/4 of the spam I
receive comes from someone's broadband connection.)

If you had a software firewall that monitored Outgoing traffic, you
could block it. If you had a firewall, you probably wouldn't be infected.

- I run NETSTAT to see what it happens. I see a LOT of outbound TCP
connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
on... no way to stop it !. All of these netstat entries end at some strange
IPs at EPMAP port.

...probably the spammer's connection to you.

- I run TaskManager, and I see a lot of started process of "SVCHOST" and
"IEEXPLORE" (about 5 or 6 instances of each one started).

I just checked for Sasser, Welchia worms, but the tools said I don't have
these worms on my computer...

What tools did you use?

http://home.rochester.rr.com/bshagna...s.html#spyware

--
-bts
-This space intentionally left blank.