Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help Identifying malware from network perspective


  • Please log in to reply

#1
tim5700

tim5700

    New Member

  • Member
  • Pip
  • 3 posts
The customer's internet bandwidth is full. Logging on the firewall shows a handful of machines flooding out to the internet on ports 53 and 3389. Any ideas of what this could be?
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,798 posts
  • MVP
Some sort of Remote Desktop Protocol exploit worm would be my guess. That's what port 3389 does.

http://www.microsoft...n/ms11-017.mspx
http://www.microsoft...n/ms11-065.mspx
http://securityrespo...y.jsp?bid=49040



Port 53 is DNS so they may be looking up IP addresses for some reason or trying to use this exploit:
http://blogs.technet...-execution.aspx

You can probably tell the firewall to block port 3389 traffic in both directions. Port 53 may be a problem depending on how they get their dns. I assume they have a local DNS so you would just have to allow it to use 53.

Can you get them to run an OTL
scan on one of the infected machines?

Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.

Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron
  • 0

#3
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,798 posts
  • MVP
Found this discussion on the worm:

http://www.networkst...d=25570&Posts=6

Appears this is a brand new one.

Apparently it is hiding in one of the svchost.exe services. OTL will see that better with a custom scan:

Copy and Paste the following text into the Posted Image textbox.

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


Push Quick Scan
A report will open. Copy and Paste that report in your next reply.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP