Kuang2

Discussion in 'Computer Security' started by MoRdred, Nov 11, 2004.

  1. MoRdred

    MoRdred Guest

    Protowall always warns me of packets being blocket from my machine to

    "IANA - Multicast, proxy, Kuang2TheVirus, Bogon" ( 239.255.255.250 )
    blocked. [protocol: IGMP - src: -- / dst: --]

    But i can't remove the virus with NAV.. Is there a way to clean the
    infection?

    MoR
    MoRdred, Nov 11, 2004
    #1
    1. Advertising

  2. 1) Download the following two items...

    Trend Sysclean Package
    http://www.trendmicro.com/download/dcs.asp

    Latest Trend signature files.
    http://www.trendmicro.com/download/pattern.asp

    Create a directory.
    On drive "C:\"
    (e.g., "c:\New Folder")
    or the desktop
    (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

    Download SYSCLEAN.COM and place it in that directory.
    Dowload the signature files (pattern files) by obtaining the ZIP file.
    For example; lpt244.zip

    Extract the contents of the ZIP file and place the contents in the same directory as
    SYSCLEAN.COM.

    2) If you are using WinME or WinXP, disable System Restore
    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    3) Reboot your PC into Safe Mode
    4) Using the Trend Sysclean utility, perform a Full Scan of your platform and
    clean/delete any infectors found
    5) Restart your PC and perform a "final" Full Scan of your platform
    6) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
    System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
    7) Reboot your PC.
    8) If you are using WinME or WinXP, create a new Restore point


    * * * Please report back your results * * *

    Dave




    "MoRdred" <> wrote in message
    news:L2Gkd.27856$...
    | Protowall always warns me of packets being blocket from my machine to
    |
    | "IANA - Multicast, proxy, Kuang2TheVirus, Bogon" ( 239.255.255.250 )
    | blocked. [protocol: IGMP - src: -- / dst: --]
    |
    | But i can't remove the virus with NAV.. Is there a way to clean the
    | infection?
    |
    | MoR
    |
    |
    David H. Lipman, Nov 11, 2004
    #2
    1. Advertising

  3. MoRdred

    MoRdred Guest

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> ha scritto nel messaggio
    news:KZJkd.56$nc.19@trnddc03...

    > * * * Please report back your results * * *


    It scanned my HD but found nothing.. And i'm still getting there outgoing
    packets blocked..


    > "MoRdred" <> wrote in message
    > news:L2Gkd.27856$...
    > | Protowall always warns me of packets being blocket from my machine to
    > |
    > | "IANA - Multicast, proxy, Kuang2TheVirus, Bogon" ( 239.255.255.250 )
    > | blocked. [protocol: IGMP - src: -- / dst: --]
    > |
    > | But i can't remove the virus with NAV.. Is there a way to clean the
    > | infection?
    > |
    > | MoR
    MoRdred, Nov 12, 2004
    #3
  4. That is still just a multicast IP address. There may be something using that other than a
    virus such as the Kuang.

    Get TDIMON.EXE from http://www.sysinternals.com/ and see what is being loaded that uses the
    IP multicast address of -239.255.255.250

    Dave





    "MoRdred" <> wrote in message
    news:ms7ld.30051$...
    |
    | "David H. Lipman" <DLipman~nospam~@Verizon.Net> ha scritto nel messaggio
    | news:KZJkd.56$nc.19@trnddc03...
    |
    | > * * * Please report back your results * * *
    |
    | It scanned my HD but found nothing.. And i'm still getting there outgoing
    | packets blocked..
    |
    |
    | > "MoRdred" <> wrote in message
    | > news:L2Gkd.27856$...
    | > | Protowall always warns me of packets being blocket from my machine to
    | > |
    | > | "IANA - Multicast, proxy, Kuang2TheVirus, Bogon" ( 239.255.255.250 )
    | > | blocked. [protocol: IGMP - src: -- / dst: --]
    | > |
    | > | But i can't remove the virus with NAV.. Is there a way to clean the
    | > | infection?
    | > |
    | > | MoR
    |
    |
    David H. Lipman, Nov 12, 2004
    #4
  5. MoRdred

    MoRdred Guest

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> ha scritto nel messaggio
    news:Cb8ld.510$GV5.112@trnddc04...

    > Get TDIMON.EXE from http://www.sysinternals.com/ and see what is being

    loaded that uses the
    > IP multicast address of -239.255.255.250


    Seq Time Process:pID Action Protocol Local Address Remote Address Status
    Bytes

    4 12.48.06 SVCHOST.EXE:964 SEND UDP 151.37.214.24:3052 239.255.255.250:1900
    SUCCESS 133
    6 12.48.06 SVCHOST.EXE:964 SEND UDP 127.0.0.1:3053 239.255.255.250:1900
    SUCCESS 133
    9 12.48.10 SVCHOST.EXE:964 SEND UDP 151.37.214.24:3052 239.255.255.250:1900
    SUCCESS 133
    11 12.48.10 SVCHOST.EXE:964 SEND UDP 127.0.0.1:3053 239.255.255.250:1900
    SUCCESS 133
    15 12.48.13 SVCHOST.EXE:964 SEND UDP 151.37.214.24:3052 239.255.255.250:1900
    SUCCESS 133
    17 12.48.13 SVCHOST.EXE:964 SEND UDP 127.0.0.1:3053 239.255.255.250:1900
    SUCCESS 133

    This is what I get by filtering the list with the remote IP protowall
    provides me..
    MoRdred, Nov 13, 2004
    #5
  6. MoRdred

    Moe Trin Guest

    In article <Cb8ld.510$GV5.112@trnddc04>, David H. Lipman wrote:

    >That is still just a multicast IP address. There may be something using
    >that other than a virus such as the Kuang.
    >
    >Get TDIMON.EXE from http://www.sysinternals.com/ and see what is being
    >loaded that uses the IP multicast address of -239.255.255.250


    Sigh... Dave, please make a note to read RFC2365 sometime. That
    particular address has only been in use for several years now. The
    particular virus is Microsoft Windows - and that is Universal PnP

    Old guy
    Moe Trin, Nov 13, 2004
    #6
  7. MoRdred

    MoRdred Guest

    "Moe Trin" <> ha scritto nel messaggio
    news:...
    > In article <Cb8ld.510$GV5.112@trnddc04>, David H. Lipman wrote:


    > Sigh... Dave, please make a note to read RFC2365 sometime. That
    > particular address has only been in use for several years now. The
    > particular virus is Microsoft Windows - and that is Universal PnP


    So.. Nothing to worry about in particular? And could you explain me why does
    it send those packets (it does as soon as I connect to internet) or show me
    somewhere to find this information?

    MoR
    MoRdred, Nov 13, 2004
    #7
  8. Thanks -- I will :)

    Dave




    "Moe Trin" <> wrote in message
    news:...

    | Sigh... Dave, please make a note to read RFC2365 sometime. That
    | particular address has only been in use for several years now. The
    | particular virus is Microsoft Windows - and that is Universal PnP
    |
    | Old guy
    David H. Lipman, Nov 13, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. thund3rstruck_n0i

    Kuang2 question

    thund3rstruck_n0i, Jul 29, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    915
    thund3rstruck_n0i
    Jul 29, 2003
Loading...

Share This Page