Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > unknown outgoing tcp traffic - should I be worried?

Reply
Thread Tools

unknown outgoing tcp traffic - should I be worried?

 
 
covert
Guest
Posts: n/a
 
      12-17-2007

I have got this same botnet.

On the infected PC I had Norton AV corp on it and I also installed AVG
to try to find it. No luck.

Here is another one of my threads with lots of details about what I
have been trying and what it does.

'Virus - fake MJ12bot - I can't find it. - Windows - Whirlpool
Broadband Forums'
(http://forums.whirlpool.net.au/forum...s.cfm?t=879242)

Taking a look around the net I can find very few threads about it.

Where ever it is hiding it is in there very good.

What info I can find out about it is that it seems to be a botnet
responsible for forum posts, file uploading to galleries and so forth.

It gets it's initial commands from

best lost dot hk


------------------------------------------------------------------------
View this thread: http://www.wirelessforums.org/showthread.php?t=31663
http://www.wirelessforums.org

 
Reply With Quote
 
 
 
 
survivor
Guest
Posts: n/a
 
      12-18-2007

abc,
I haven't found it either but I removed the vulnerability that made it
work (I guess). Now I no longer experience this unwanted traffic. Do
this:
1. Get ProcessExplorer from Microsoft. It's free. It doesn't need
installation, just unzip and run.
2. When the traffic starts (be sure it's not your own traffic), run
procexp.exe
3. Notice that one of the srvhost.exe entries incurs in an unusually
high CPU utilization. The trojan started this instance. Hover over the
entry to popup a tooltip. It should say: DCOM service process launcher.
4. Now, observe the child node (actually is the parent node) that
emanates from this entry. It will give you the path to the program that
has the vulnerability.
5. Do a search to identify which software this program belongs to. I
can't help you in this.
6. Replace/upgrade/patch your software so that the vulnerability is
removed. The trojan will still be there but it won't be able to exploit
nothing.
7. Reboot

Let me know how you did.


------------------------------------------------------------------------
View this thread: http://www.wirelessforums.org/showthread.php?t=31663
http://www.wirelessforums.org

 
Reply With Quote
 
 
 
 
thecovert@gmail.com
Guest
Posts: n/a
 
      12-20-2007
My svchost responsible for the traffic does not have any nodes under
it in process explorer.

With OllyDbg I have been able to find the area in memory it is doing
it's work but I'm not able to find the owner for the memory. OllyDbg
does not show who it belongs to. When I see a breakpoint to it OllyDbg
crash's when it is hit.

survivor wrote:
> abc,
> I haven't found it either but I removed the vulnerability that made it
> work (I guess). Now I no longer experience this unwanted traffic. Do
> this:
> 1. Get ProcessExplorer from Microsoft. It's free. It doesn't need
> installation, just unzip and run.
> 2. When the traffic starts (be sure it's not your own traffic), run
> procexp.exe
> 3. Notice that one of the srvhost.exe entries incurs in an unusually
> high CPU utilization. The trojan started this instance. Hover over the
> entry to popup a tooltip. It should say: DCOM service process launcher.
> 4. Now, observe the child node (actually is the parent node) that
> emanates from this entry. It will give you the path to the program that
> has the vulnerability.
> 5. Do a search to identify which software this program belongs to. I
> can't help you in this.
> 6. Replace/upgrade/patch your software so that the vulnerability is
> removed. The trojan will still be there but it won't be able to exploit
> nothing.
> 7. Reboot
>
> Let me know how you did.
>
>
> ------------------------------------------------------------------------
> View this thread: http://www.wirelessforums.org/showthread.php?t=31663
> http://www.wirelessforums.org

 
Reply With Quote
 
Sebastian G.
Guest
Posts: n/a
 
      12-20-2007
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:

> When I see a breakpoint to it OllyDbg crash's when it is hit.



Please call it a deadlock.
 
Reply With Quote
 
survivor
Guest
Posts: n/a
 
      12-24-2007

I found a suspicious file named mqperf32.dll in the system32 directory.
When I tried to check it AVG (antivirus) kept showing an alarm so I
opted to clean it. There's little info on the net about it but is not an
OS file (the OS's file is named mqperf.dll). If you find this is the
case for you could you send me a copy of it before you clean it up? (I
would like to analyze such clever piece of program)


------------------------------------------------------------------------
View this thread: http://www.wirelessforums.org/showthread.php?t=31663
http://www.wirelessforums.org

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
outgoing traffic monitor whatazor Python 0 01-10-2008 09:14 PM
Redirecting all Outgoing http traffic to an internal Web server r_elder@yahoo.com Cisco 7 03-30-2007 02:16 PM
identifying the source of suspicous outgoing network traffic dave Computer Security 4 10-23-2006 03:02 AM
Unknown IP addresses in my firewall logs (outgoing initiated web traffic) Alan NZ Computing 18 04-11-2006 05:25 AM
Outgoing PPTP traffic on a Cisco 1750 Todd Cisco 1 07-31-2005 03:53 PM



Advertisments