If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Worm never seen before
Hi all ;
I am just experiencing a strange kind of infection I don't know wether is a new worm or not, as I never seen it before. The situation is next: - I am running a computer with both Win98 and XP installed. - My Win98 session works OK - When I start an XP session, and I do activate my network connection... I start to see a very heavy traffic on the LEDs of my hub/router ADSL. The activity light is flickering like crazy... what happens?? - I check the Status of the connection, and I see dozens of outbound packets per second, and almost nothing incoming. Strange... - I run NETSTAT to see what it happens. I see a LOT of outbound TCP connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so on... no way to stop it !. All of these netstat entries end at some strange IPs at EPMAP port. - I run TaskManager, and I see a lot of started process of "SVCHOST" and "IEEXPLORE" (about 5 or 6 instances of each one started). I just checked for Sasser, Welchia worms, but the tools said I don't have these worms on my computer... Any ideas? Thanks !! |
Ads |
#2
|
|||
|
|||
Worm never seen before
"I.L.B." сообщил/сообщила в новостях следующее: ... Hi all ; I am just experiencing a strange kind of infection I don't know wether is a new worm or not, as I never seen it before. The situation is next: - I am running a computer with both Win98 and XP installed. - My Win98 session works OK - When I start an XP session, and I do activate my network connection... I start to see a very heavy traffic on the LEDs of my hub/router ADSL. The activity light is flickering like crazy... what happens?? - I check the Status of the connection, and I see dozens of outbound packets per second, and almost nothing incoming. Strange... - I run NETSTAT to see what it happens. I see a LOT of outbound TCP connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so on... no way to stop it !. All of these netstat entries end at some strange IPs at EPMAP port. - I run TaskManager, and I see a lot of started process of "SVCHOST" and "IEEXPLORE" (about 5 or 6 instances of each one started). I just checked for Sasser, Welchia worms, but the tools said I don't have these worms on my computer... Any ideas? Thanks !! Scan for spyware programs. Use adaware or spybot for it. Make sure your antivirus is uptodate. Scan for trojans as well, www.moosoft.com has a free scanner. If your router has a build in firewall, use it or download a one of the many around. Zone Alarm has a free version. Also see http://www.pacs-portal.co.uk/startup_content.php to see what programs are running in Task Manager and what they are. A good information site on firewall http://computer.howstuffworks.com/firewall.htm Ashok S. |
#3
|
|||
|
|||
Worm never seen before
I just tried the moosoft scanner and it seems to work ok, identifying a
small demonstration app I dnloaded from gibson's Shields Up. I also really wondered about the ports I found open with netstat, but it turns out epmap is the 'endpoint mapper' that is a legit process, as is microsoft-ds (smb). svchost is the generic windows services host process and multiple instances are normal. As to the burst of data outbound, I don't know ... good luck. "I.L.B." wrote in message ... Hi all ; I am just experiencing a strange kind of infection I don't know wether is a new worm or not, as I never seen it before. The situation is next: - I am running a computer with both Win98 and XP installed. - My Win98 session works OK - When I start an XP session, and I do activate my network connection... I start to see a very heavy traffic on the LEDs of my hub/router ADSL. The activity light is flickering like crazy... what happens?? - I check the Status of the connection, and I see dozens of outbound packets per second, and almost nothing incoming. Strange... - I run NETSTAT to see what it happens. I see a LOT of outbound TCP connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so on... no way to stop it !. All of these netstat entries end at some strange IPs at EPMAP port. - I run TaskManager, and I see a lot of started process of "SVCHOST" and "IEEXPLORE" (about 5 or 6 instances of each one started). I just checked for Sasser, Welchia worms, but the tools said I don't have these worms on my computer... Any ideas? Thanks !! |
#4
|
|||
|
|||
Worm never seen before
On Thu, 30 Dec 2004 09:34:57 UTC, "I.L.B." opined:
Hi all ; I am just experiencing a strange kind of infection I don't know wether is a new worm or not, as I never seen it before. The situation is next: - I am running a computer with both Win98 and XP installed. - My Win98 session works OK - When I start an XP session, and I do activate my network connection... I start to see a very heavy traffic on the LEDs of my hub/router ADSL. The activity light is flickering like crazy... what happens?? - I check the Status of the connection, and I see dozens of outbound packets per second, and almost nothing incoming. Strange... - I run NETSTAT to see what it happens. I see a LOT of outbound TCP connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so on... no way to stop it !. All of these netstat entries end at some strange IPs at EPMAP port. - I run TaskManager, and I see a lot of started process of "SVCHOST" and "IEEXPLORE" (about 5 or 6 instances of each one started). I just checked for Sasser, Welchia worms, but the tools said I don't have these worms on my computer... Any ideas? Thanks !! Perhaps the system is calling home to tell Uncle Bill what you had for breakfast, or what kind of Pizza you ordered from Domino. A sparrow does not fall from the sky but Uncle Bill wants to know all about it. -- Stan Goodman Qiryat Tiv'on Israel All those who believe that the best physicians in France, given two weeks, can't diagnose what ails a patient - please stand up. |
#5
|
|||
|
|||
Worm never seen before
On 30 Dec 2004 12:04:31 GMT, Stan Goodman spoketh
Perhaps the system is calling home to tell Uncle Bill what you had for breakfast, or what kind of Pizza you ordered from Domino. A sparrow does not fall from the sky but Uncle Bill wants to know all about it. Bullsh*t. Lars M. Hansen http://www.hansenonline.net (replace 'badnews' with 'news' in e-mail address) |
#6
|
|||
|
|||
Worm never seen before
In alt.comp.virus, I.L.B. wrote:
Hi all I am just experiencing a strange kind of infection I don't know wether is a new worm or not, as I never seen it before. The situation is next: - I am running a computer with both Win98 and XP installed. - My Win98 session works OK - When I start an XP session, and I do activate my network connection... I start to see a very heavy traffic on the LEDs of my hub/router ADSL. The activity light is flickering like crazy... what happens?? Hub/router? Do you mean the DSL modem? It is neither a hub nor a router. You should have a real router between the DSL modem and your computer. - I check the Status of the connection, and I see dozens of outbound packets per second, and almost nothing incoming. Strange... Ah. I'd bet that your computer is compromised and has become a zombie for spammers. You are likely relaying spam. (Nearly 3/4 of the spam I receive comes from someone's broadband connection.) If you had a software firewall that monitored Outgoing traffic, you could block it. If you had a firewall, you probably wouldn't be infected. - I run NETSTAT to see what it happens. I see a LOT of outbound TCP connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so on... no way to stop it !. All of these netstat entries end at some strange IPs at EPMAP port. ...probably the spammer's connection to you. - I run TaskManager, and I see a lot of started process of "SVCHOST" and "IEEXPLORE" (about 5 or 6 instances of each one started). I just checked for Sasser, Welchia worms, but the tools said I don't have these worms on my computer... What tools did you use? http://home.rochester.rr.com/bshagna...s.html#spyware -- -bts -This space intentionally left blank. |
#7
|
|||
|
|||
This is really strange...
Thanks guys, but I just ran the scanners you told me with no results....
This is really strange: It keeps happening!. It happened just after re-install Windows XP, when trying to update it to SP1 and SP2.... that's when the outbound bursts began. I can turn off the network connection, I restart it again... then after a few seconds, the bursts of outgoing packets start... when running NETSTAT, I see first, an ESTABLISHED connection to "unknown.sagonet.net:6667" (to an IRC port!!!), then it comes the stream of outbound packets, from 3000 to 4000 ports and so on... with no end!!. In the meanwhile I have no access to web surf nor anything regular, just bursts of TCP packets flying away from my computer. And it happened just when I re-installed XP, so ain't got time to download any virus or worm or anything. If that sounds familiar to any of you, please help me. Thanks... "I.L.B." wrote in message ... Hi all ; I am just experiencing a strange kind of infection I don't know wether is a new worm or not, as I never seen it before. The situation is next: - I am running a computer with both Win98 and XP installed. - My Win98 session works OK - When I start an XP session, and I do activate my network connection... I start to see a very heavy traffic on the LEDs of my hub/router ADSL. The activity light is flickering like crazy... what happens?? - I check the Status of the connection, and I see dozens of outbound packets per second, and almost nothing incoming. Strange... - I run NETSTAT to see what it happens. I see a LOT of outbound TCP connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so on... no way to stop it !. All of these netstat entries end at some strange IPs at EPMAP port. - I run TaskManager, and I see a lot of started process of "SVCHOST" and "IEEXPLORE" (about 5 or 6 instances of each one started). I just checked for Sasser, Welchia worms, but the tools said I don't have these worms on my computer... Any ideas? Thanks !! |
#8
|
|||
|
|||
This is really strange... [was: Worm never seen before]
In alt.comp.virus, I.L.B. wrote:
[Stop changing the Subject line.] Thanks guys, but I just ran the scanners you told me with no results.... This is really strange: It keeps happening!. It happened just after re-install Windows XP, when trying to update it to SP1 and SP2.... Did you have your *firewall* turned on *before* going on line? http://www.theregister.co.uk/2004/08/19/infected_in20_minutes/ -- -bts -This space intentionally left blank. |
#9
|
|||
|
|||
Worm never seen before
On Thu, 30 Dec 2004 11:30:28 GMT, "bluddihun"
wrote: I just tried the moosoft scanner and it seems to work ok, identifying a small demonstration app I dnloaded from gibson's Shields Up. I also really wondered about the ports I found open with netstat, but it turns out epmap is the 'endpoint mapper' that is a legit process, as is microsoft-ds (smb). svchost is the generic windows services host process and multiple instances are normal. True. But that does not mean that one (or more) of the svchost instances are caused by a worm or other malware :-) (Why write the entire virus when you have Windows available :-) As to the burst of data outbound, I don't know ... -- Kind regards, Gerard Bok |
#11
|
|||
|
|||
Worm never seen before
On Thu, 30 Dec 2004 12:18:06 UTC, Lars M. Hansen
opined: On 30 Dec 2004 12:04:31 GMT, Stan Goodman spoketh Perhaps the system is calling home to tell Uncle Bill what you had for breakfast, or what kind of Pizza you ordered from Domino. A sparrow does not fall from the sky but Uncle Bill wants to know all about it. Bullsh*t. There's no "I" on your keyboard? =;-/8 -- Stan Goodman Qiryat Tiv'on Israel All those who believe that the best physicians in France, given two weeks, can't diagnose what ails a patient - please stand up. |
#12
|
|||
|
|||
How I solved this...
Finally... I had to download an standalone Service Pack 2 of XP... that
includes improved security, firewalls, etc. and now my XP is back to normal life again. So the XP I got it is risky!. It begins to make strange things just installed and it needs to be "servicepacked" ASAP !!! Jesus ! |
#13
|
|||
|
|||
Worm never seen before
"Bart Bailey" wrote in message
... In posted on Thu, 30 Dec 2004 10:23:19 -0500, Beauregard T. Shagnasty wrote: Begin You should have a real router between the DSL modem and your computer. Why? It depends on what is meant by a real router. A NAT router will ignore incoming connection requests and will not forward them to your PC unless it is set up to do port forwarding. Some DSL modems (which use telephone lines) have built in NAT routers but I've yet to come across a cable (which uses a TV cable) modem that does. Why is a NAT router a good idea? Because when you're setting up a freshly installed Windows 2000 or Windows XP PC it will take about 30 seconds to get a worm infection if you don't have a separate box between you and the Internet which blocks incoming connection requests. There are two ways around this when doing a reinstall but almost no-one uses them because 1 is too easy to forget and 2 is too difficult. 1. Turn on the built in firewall in XP BEFORE you connect the Internet/modem. 2. Make yourself a CD with the most recent service pack slipstreamed in. In the time it took to write this I have logged five incoming TCP port 135 connection requests. http://www.google.com/search?&q=tcp+port+135+blaster Jason -- Bart |
#14
|
|||
|
|||
How I solved this...
Please don't start new threads when you really wanted to reply to your
other message. In alt.comp.virus, I.L.B. wrote: Finally... I had to download an standalone Service Pack 2 of XP... that includes improved security, firewalls, etc. and now my XP is back to normal life again. We will see... So the XP I got it is risky!. It begins to make strange things just installed and it needs to be "servicepacked" ASAP !!! No it doesn't, but it does need to be firewalled before ever connecting to the internet. Jesus ! Yes. Does your XP SP2 *really* have: X-Newsreader: Microsoft Outlook Express 5.00.2919.6600 or are you posting from some other ancient machine? -- -bts -This space intentionally left blank. |
#15
|
|||
|
|||
Worm never seen before
On Fri, 31 Dec 2004 20:32:56 +0100, Gabriele Neukam wrote:
Good idea. If I (ever?) get one, it will be behind a broadband router with NAT (already there), and I'll never browse with IE, or mail with OE. Remember how it was announced: "The safest Windows ever". Now it is the most often(ly?) attacked and corrupted one. Two things that do not go together; Microsoft and Security -- Regards Robert Smile... it increases your face value! |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
What is connected to which? | kiadau | New Users to Windows XP | 7 | February 14th 07 08:02 PM |
E-mail worm or mother-in-law worm | Buckus | General XP issues or comments | 2 | October 23rd 04 03:10 AM |
blaster worm | Olga | Security and Administration with Windows XP | 7 | September 17th 04 02:55 AM |
Korgo.R worm! won't go away! | Johannes Enstad | General XP issues or comments | 2 | August 8th 04 10:02 PM |
win32bagel worm | revtkc | Performance and Maintainance of XP | 2 | July 22nd 04 06:58 AM |