Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help Identifying malware from network perspective

Started by tim5700 , Aug 26 2011 06:02 PM

  • Please log in to reply

#1
tim5700
Posted 26 August 2011 - 06:02 PM

tim5700

    New Member

  • Member
  • Pip
  • 3 posts
The customer's internet bandwidth is full. Logging on the firewall shows a handful of machines flooding out to the internet on ports 53 and 3389. Any ideas of what this could be?
  • 0

Advertisements

#2
RKinner
Posted 27 August 2011 - 01:42 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Some sort of Remote Desktop Protocol exploit worm would be my guess. That's what port 3389 does.

http://www.microsoft...n/ms11-017.mspx
http://www.microsoft...n/ms11-065.mspx
http://securityrespo...y.jsp?bid=49040



Port 53 is DNS so they may be looking up IP addresses for some reason or trying to use this exploit:
http://blogs.technet...-execution.aspx

You can probably tell the firewall to block port 3389 traffic in both directions. Port 53 may be a problem depending on how they get their dns. I assume they have a local DNS so you would just have to allow it to use 53.

Can you get them to run an OTL
scan on one of the infected machines?

Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.

Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron
  • 0

#3
RKinner
Posted 27 August 2011 - 02:09 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Found this discussion on the worm:

http://www.networkst...d=25570&Posts=6

Appears this is a brand new one.

Apparently it is hiding in one of the svchost.exe services. OTL will see that better with a custom scan:

Copy and Paste the following text into the Posted Image textbox.

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


Push Quick Scan
A report will open. Copy and Paste that report in your next reply.

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP