Possible Trojan?

Discussion in 'Computer Security' started by Andy Devine, Jul 17, 2003.

  1. Andy Devine

    Andy Devine Guest

    This has been happening a lot lately... Does this mean I already have a
    trojan that has been undetected?

    Thanks,
    AD


    * * * *

    Blocked an outgoing TCP packet. The remote address associated with the
    traffic was 81.79.8.64. The remote port was 2234 [ephemeral]. The local
    port on your PC was 1243 [Sub-7 (trojan)]. The network adapter for the
    traffic was "Intel(R) PRO/100+ Management Adapter".

    The binary data contained in the packet was "00 08 20 cb 3c 54 00 02 b3 a1
    a2 39 08 00 45 00 00 28 8a 05 40 00 80 06 1e 72 0c d7 eb f2 51 4f 08 40 04
    db 08 ba 30 3b 6b 12 02 1c 3d 4d 50 11 fa f0 7a 3e 00 00 ".
    Andy Devine, Jul 17, 2003
    #1
    1. Advertising

  2. Andy Devine

    mto Guest

    "Andy Devine" <> wrote in message
    news:QWARa.82405$N7.9795@sccrnsc03...
    > This has been happening a lot lately... Does this mean I already have a
    > trojan that has been undetected?
    >
    > Thanks,
    > AD
    >
    >
    > * * * *
    >
    > Blocked an outgoing TCP packet. The remote address associated with the
    > traffic was 81.79.8.64. The remote port was 2234 [ephemeral]. The local
    > port on your PC was 1243 [Sub-7 (trojan)]. The network adapter for the
    > traffic was "Intel(R) PRO/100+ Management Adapter".
    >
    > The binary data contained in the packet was "00 08 20 cb 3c 54 00 02 b3 a1
    > a2 39 08 00 45 00 00 28 8a 05 40 00 80 06 1e 72 0c d7 eb f2 51 4f 08 40 04
    > db 08 ba 30 3b 6b 12 02 1c 3d 4d 50 11 fa f0 7a 3e 00 00 ".
    >


    Where did the information you are giving us come from Andy?

    Here is a description of the Sub 7 Trojan -
    http://www.xploiter.com/security/sub7.html

    It does use the specified port.

    Here is the WhoIS data for the IP number the program was trying to access -

    Search results for: 81.79.8.64

    OrgName: RIPE Network Coordination Centre
    OrgID: RIPE
    Address: Singel 258
    Address: 1016 AB
    City: Amsterdam
    StateProv:
    PostalCode:
    Country: NL

    NetRange: 81.0.0.0 - 81.255.255.255
    CIDR: 81.0.0.0/8
    NetName: 81-RIPE
    NetHandle: NET-81-0-0-0-1
    Parent:
    NetType: Allocated to RIPE NCC
    NameServer: NS.RIPE.NET
    NameServer: NS3.NIC.FR
    NameServer: SUNIC.SUNET.SE
    NameServer: AUTH62.NS.UU.NET
    NameServer: MUNNARI.OZ.AU
    NameServer: SEC1.APNIC.NET
    NameServer: SEC3.APNIC.NET
    NameServer: TINNIE.ARIN.NET
    Comment: These addresses have been further assigned to users in
    Comment: the RIPE NCC region. Contact information can be found in
    Comment: the RIPE database at http://www.ripe.net/whois
    RegDate:
    Updated: 2003-04-25

    OrgTechHandle: RIPE-NCC-ARIN
    OrgTechName: RIPE NCC Hostmaster
    OrgTechPhone: +31 20 535 4444
    OrgTechEmail:

    # ARIN WHOIS database, last updated 2003-07-16 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    AND here are the results from the Ripe WhoIs -% This is the RIPE Whois
    server.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/ripencc/pub-services/db/copyright.html
    inetnum: 81.79.0.0 - 81.79.127.255
    netname: E2-DSL-2
    descr: Energis UK
    descr: DSL Customers
    country: GB
    admin-c: MADM1-RIPE
    tech-c: MADM1-RIPE
    status: ASSIGNED PA
    mnt-by: ENERGIS-MNT
    changed: 20030106
    source: RIPE
    route: 81.76.0.0/14
    descr: Energis UK
    origin: AS5388
    mnt-by: ENERGIS-MNT
    changed: 20020307
    changed: 20020916
    source: RIPE
    role: Modem and DSL Team
    address: Energis UK
    address: Melbourne Street
    address: Leeds, LS2 7PS
    address: United Kingdom
    phone: +44 113 2345100
    e-mail:
    admin-c: ENIT1-RIPE
    tech-c: ENIT1-RIPE
    nic-hdl: MADM1-RIPE
    remarks: Abuse reports to please!
    remarks: No actions are taken on abuse reports sent to modem team.
    mnt-by: ENERGIS-MNT
    changed: 20021127
    source: RIPE
    mto, Jul 18, 2003
    #2
    1. Advertising

  3. Andy Devine

    mto Guest

    "Andy Devine" <> wrote in message
    news:spIRa.84089$N7.11108@sccrnsc03...
    >
    > "mto" <> wrote in message
    > news:...
    > >
    > >
    > > Where did the information you are giving us come from Andy?

    >
    >
    > Came from a firewall log. But I want to know is if it's an outgoing

    packet,
    > then does that mean there is already a trojan in the machine that is not
    > being detected by a virus scanner (3 different virus scanners to be

    exact)?
    > I've had several problems with the RIPE IP addresses in the past.
    >
    > Thanks again.
    >


    Yes, if what you reported "Blocked an outgoing packet...." is what was
    reported to you by your firewall then that means that you have a trojan
    already in the machine. Not the least surprising that 3X antivirus programs
    didn't detect it, since most of them are not particularly good at catching
    trojans - many go completely undetected. That is the GOOD news ---

    The bad news, if you read the page at the URL I sent you is that Sub 7 is a
    trojan that allows a remote user to literally control your machine -
    according to the doc's it can do all of this below - there are manual
    removal instructions on that page. Be sure it is really Sub7 before you
    hack away at it. Google did turn up a rather long list of stuff for Sub7 so
    you might wander through that. Maybe one of the trojan programs can find &
    fix the thing more easily. You might also want to get that packet
    translated

    Change the victim's resolution.
    E-mail notify.
    See all the running processess [visible or not]
    Print feature! allows you to specify a text to be printed on the victim's
    printer
    Registry editor.
    Find files feature.
    ScrollLock, CapsLock, NumLock can be turned ON and OFF
    Disconnect victim. hangs up the victim's connection to the net
    Focus window
    Screen Preview (screen dump)
    ICQ notification
    Show image feature.
    Continuous screen capture is finally here!
    Flip screen.
    Hide/show the victim's desktop icons.
    FTP server.
    Message manager.
    Enable or disable Ctrl-Alt-Del.
    Send keys.
    Open the default browser at the specified address
    Hide or show the Start button
    Disable keyboard
    Chat with the victim.
    Start/stop the victim's PC Speaker.
    Restart windows.
    Open/close the CD-ROM
    Set the length of the victim's mouse trails.
    Get all the active windows on the victim's computer. after that you can:
    - close a specified window
    - enable/disable a specified window [the victim will or will not be
    able to interact with it]
    - disable the close button on a specified window
    - hide or show a specified window
    Get a list of all the available drives on the victim's computer
    Turn monitor on/off.
    Show/hide the taskbar.
    Get system information like: windows version, user name, company name,
    screen resolution, etc.
    Keylogging
    Record Audio.
    File manager.
    Reverse/restore mouse buttons.
    Get passwords.
    Offline key logger.
    mto, Jul 18, 2003
    #3
  4. Andy Devine

    mto Guest

    "Andy Devine" <> wrote in message
    news:spIRa.84089$N7.11108@sccrnsc03...
    >
    > "mto" <> wrote in message
    > news:...
    > >
    > >
    > > Where did the information you are giving us come from Andy?

    >
    >
    > Came from a firewall log. But I want to know is if it's an outgoing

    packet,
    > then does that mean there is already a trojan in the machine that is not
    > being detected by a virus scanner (3 different virus scanners to be

    exact)?
    > I've had several problems with the RIPE IP addresses in the past.
    >
    > Thanks again.
    >
    >


    BTW, that RIPE IP# is in Great Britain, a dsl connection. If your firewall
    saved a log of the time that this (and the others) incident occurred you
    might be able to track down your hacker. GB and EU sometimes have much
    better laws than here in the US about such things.
    mto, Jul 18, 2003
    #4
  5. Andy Devine

    Andy Devine Guest

    "mto" <> wrote in message
    news:...
    >
    > "Andy Devine" <> wrote in message
    > news:spIRa.84089$N7.11108@sccrnsc03...
    > >
    > > "mto" <> wrote in message
    > > news:...
    > > >
    > > >
    > > > Where did the information you are giving us come from Andy?

    > >
    > >
    > > Came from a firewall log. But I want to know is if it's an outgoing

    > packet,
    > > then does that mean there is already a trojan in the machine that is not
    > > being detected by a virus scanner (3 different virus scanners to be

    > exact)?
    > > I've had several problems with the RIPE IP addresses in the past.
    > >
    > > Thanks again.
    > >
    > >

    >
    > BTW, that RIPE IP# is in Great Britain, a dsl connection. If your

    firewall
    > saved a log of the time that this (and the others) incident occurred you
    > might be able to track down your hacker. GB and EU sometimes have much
    > better laws than here in the US about such things.
    >
    >


    Much thanks!
    Andy Devine, Jul 18, 2003
    #5
  6. Andy Devine

    Stefan Guest

    "Andy Devine" <> schreef in bericht
    news:QWARa.82405$N7.9795@sccrnsc03...
    > This has been happening a lot lately... Does this mean I already have a
    > trojan that has been undetected?



    Its more likely you've been playing Operation Flash Point ....


    > Thanks,
    > AD
    >
    > * * * *
    >
    > Blocked an outgoing TCP packet. The remote address associated with the
    > traffic was 81.79.8.64. The remote port was 2234 [ephemeral]. The local
    > port on your PC was 1243 [Sub-7 (trojan)]. The network adapter for the
    > traffic was "Intel(R) PRO/100+ Management Adapter".


    Its an outgoing TCP packet FROM a port also used by Sub-7. You should start
    worrying when you get UNblocked INCOMING packets on port 1243.

    Port 2234 is probably used by ephemeral (whatever that may be) but its also
    the port used by DirectPlay - mainly OFP.

    See http://www.theavonlady.org/theofpfaq/mp/firewall.htm


    > The binary data contained in the packet was "00 08 20 cb 3c 54 00 02 b3 a1
    > a2 39 08 00 45 00 00 28 8a 05 40 00 80 06 1e 72 0c d7 eb f2 51 4f 08 40 04
    > db 08 ba 30 3b 6b 12 02 1c 3d 4d 50 11 fa f0 7a 3e 00 00 ".


    Doesn't tell us anything. An analysis of a couple of packets, perhaps, but a
    single packet ...

    Bye,
    Stefan
    Stefan, Jul 19, 2003
    #6
  7. Andy Devine

    Andy Devine Guest

    "neimangu" <> wrote in message
    news:bf9f32$lcn$...
    > sub-seven is indeed a trojan, and a nasty one.
    >
    > If it went undetected on your system, this means you have either a
    > not-up-to-date AV software, or the exe file has been modified and it is

    not
    > the original version of sub-seven (WCS).
    >
    > check this out:
    > http://www.hackfix.org/subseven/
    >
    > good luck with that
    >


    thank you very much!
    Andy Devine, Jul 20, 2003
    #7
  8. Andy

    As a temporary fix, if you don't have a software firewall installed, get one
    such as ZA and in the FIREWALL ZONE tab, block the IP range of that DSL
    company in Europe.

    R Green
    Technical Service Advisor
    ---------------------------
    WoWsat.com
    ---------------------------

    "Andy Devine" <> wrote in message
    news:QWARa.82405$N7.9795@sccrnsc03...
    > This has been happening a lot lately... Does this mean I already have a
    > trojan that has been undetected?
    >
    > Thanks,
    > AD
    >
    >
    > * * * *
    >
    > Blocked an outgoing TCP packet. The remote address associated with the
    > traffic was 81.79.8.64. The remote port was 2234 [ephemeral]. The local
    > port on your PC was 1243 [Sub-7 (trojan)]. The network adapter for the
    > traffic was "Intel(R) PRO/100+ Management Adapter".
    >
    > The binary data contained in the packet was "00 08 20 cb 3c 54 00 02 b3 a1
    > a2 39 08 00 45 00 00 28 8a 05 40 00 80 06 1e 72 0c d7 eb f2 51 4f 08 40 04
    > db 08 ba 30 3b 6b 12 02 1c 3d 4d 50 11 fa f0 7a 3e 00 00 ".
    >
    >
    R Green - WoWsat.com, Jul 20, 2003
    #8
  9. Andy Devine

    Guest

    > As a temporary fix, if you don't have a software firewall installed, get one
    > such as ZA and in the FIREWALL ZONE tab, block the IP range of that DSL
    > company in Europe.
    >
    > R Green
    > Technical Service Advisor
    > ---------------------------
    > WoWsat.com
    > ---------------------------


    Personally, I don't know if it would make much sense to block off a
    range since you may block ranges of sites he visits. Security thru'
    obscurity is never a fix for anything.

    I know you stated 'as a temporary fix' and I also notice you included
    technical service advisor, I just hope you don't give any clients
    that advice.

    segment /:/ AntiOffline . com
    , Jul 20, 2003
    #9
  10. Andy Devine

    mto Guest

    <> wrote in message
    news:5brSa.18240$...
    > > As a temporary fix, if you don't have a software firewall installed, get

    one
    > > such as ZA and in the FIREWALL ZONE tab, block the IP range of that DSL
    > > company in Europe.
    > >
    > > R Green
    > > Technical Service Advisor
    > > ---------------------------
    > > WoWsat.com
    > > ---------------------------

    >
    > Personally, I don't know if it would make much sense to block off a
    > range since you may block ranges of sites he visits. Security thru'
    > obscurity is never a fix for anything.
    >
    > I know you stated 'as a temporary fix' and I also notice you included
    > technical service advisor, I just hope you don't give any clients
    > that advice.


    That actually isn't bad advice, you know. The IP range in question provides
    DSL service rather than web hosting so it is unlikely that he will be
    missing a site or two. The block is easily undone at the click of a button
    and meanwhile the block will prevent both outgoing and incoming connections
    from something that appears to be an ongoing problem while he figures out
    exactly what the problem is.
    mto, Jul 20, 2003
    #10
  11. Andy Devine

    mto Guest

    Re: Possible Trojan? Does anyone recognize this data?

    "pepperz" <> wrote in message
    news:...
    > A friend of mine found a file on her computer containing the following

    lines:
    >
    >

    NEOLOGIT>20030622:222808:CORE:CORE:CORE:CORE:CAutoSemaphore:1:CAutoSemaphor
    > e::WaitSemaphore - No handle to wait for -- bitch!:009B8660
    >
    > Does anyone recognize it. Is it part of some "trojan" scheme?
    >
    > Thanks


    Try SpyBot Search and Destroy - free. Then if it is still there post name
    and extension of file, OS in use, list of startup programs from Spybot
    Advanced mode.
    mto, Jul 23, 2003
    #11
  12. Andy Devine

    mto Guest

    "triton" <> wrote in message
    news:...
    > If he just blocks that IP range, couldn't anyone else with the Sub 7

    client
    > still connect to his system, depending of course if it wasn't password
    > protected?


    Might be so - but as long as the thing is in his machine the only way to
    prevent that entirely is to simply disconnect from the net and stay that
    way, which would likely also eliminate all resources to help him get the
    thing gone.

    Meanwhile, since he has repeatedly noticed problems from this one IP range,
    that will at least take care of that set of problems.

    > I know we used to play around with that program a few years ago, and it

    was
    > incredible how many machines were open.


    More than a little incredible. Of late I have been told by my daughter
    after an attrocious infection with a porn downloader and a couple of dialers
    that ran their phone bill into the thousands that they didn't want to change
    IP's because the one they were using was cheap, that they didn't want a
    firewall because it interfered with the online email, etc. And then there
    is my sister, who LIKES her HotBar and Kazaa, glory be. You can lead a
    horse and all of that .....

    Another port that Sub 7 used was
    > 27374 or something like that. I never did any damage to anyones machines,
    > and most of the time I'd use the "remove server" feature to clean their
    > systems, or password protect it so no-one else got in.


    I suspect you are now older & wiser :)


    > "mto" <> wrote in message
    > news:...
    > >
    > > <> wrote in message
    > > news:5brSa.18240$...
    > > > > As a temporary fix, if you don't have a software firewall installed,

    > get
    > > one
    > > > > such as ZA and in the FIREWALL ZONE tab, block the IP range of that

    > DSL
    > > > > company in Europe.
    > > > >
    > > > > R Green
    > > > > Technical Service Advisor
    > > > > ---------------------------
    > > > > WoWsat.com
    > > > > ---------------------------
    > > >
    > > > Personally, I don't know if it would make much sense to block off a
    > > > range since you may block ranges of sites he visits. Security thru'
    > > > obscurity is never a fix for anything.
    > > >
    > > > I know you stated 'as a temporary fix' and I also notice you included
    > > > technical service advisor, I just hope you don't give any clients
    > > > that advice.

    > >
    > > That actually isn't bad advice, you know. The IP range in question

    > provides
    > > DSL service rather than web hosting so it is unlikely that he will be
    > > missing a site or two. The block is easily undone at the click of a

    > button
    > > and meanwhile the block will prevent both outgoing and incoming

    > connections
    > > from something that appears to be an ongoing problem while he figures

    out
    > > exactly what the problem is.
    > >
    > >

    >
    >
    mto, Jul 23, 2003
    #12
  13. Andy Devine

    triton Guest

    "mto" <> wrote in message
    news:...
    >
    > "triton" <> wrote in message
    > news:...
    > > If he just blocks that IP range, couldn't anyone else with the Sub 7

    > client
    > > still connect to his system, depending of course if it wasn't password
    > > protected?

    >
    > Might be so - but as long as the thing is in his machine the only way to
    > prevent that entirely is to simply disconnect from the net and stay that
    > way, which would likely also eliminate all resources to help him get the
    > thing gone.
    >
    > Meanwhile, since he has repeatedly noticed problems from this one IP

    range,
    > that will at least take care of that set of problems.


    ***But then again, anyone with a port scanner could possible find and
    exploit that program.

    >
    > > I know we used to play around with that program a few years ago, and it

    > was
    > > incredible how many machines were open.

    >
    > More than a little incredible. Of late I have been told by my daughter
    > after an attrocious infection with a porn downloader and a couple of

    dialers
    > that ran their phone bill into the thousands that they didn't want to

    change
    > IP's because the one they were using was cheap, that they didn't want a
    > firewall because it interfered with the online email, etc. And then there
    > is my sister, who LIKES her HotBar and Kazaa, glory be. You can lead a
    > horse and all of that .....


    *** Ouch!
    >
    > Another port that Sub 7 used was
    > > 27374 or something like that. I never did any damage to anyones

    machines,
    > > and most of the time I'd use the "remove server" feature to clean their
    > > systems, or password protect it so no-one else got in.

    >
    > I suspect you are now older & wiser :)


    *** Older and wiser, agreed. I guess it was just one of those passing
    phases, but I did learn a few things.
    >
    >
    > > "mto" <> wrote in message
    > > news:...
    > > >
    > > > <> wrote in message
    > > > news:5brSa.18240$...
    > > > > > As a temporary fix, if you don't have a software firewall

    installed,
    > > get
    > > > one
    > > > > > such as ZA and in the FIREWALL ZONE tab, block the IP range of

    that
    > > DSL
    > > > > > company in Europe.
    > > > > >
    > > > > > R Green
    > > > > > Technical Service Advisor
    > > > > > ---------------------------
    > > > > > WoWsat.com
    > > > > > ---------------------------
    > > > >
    > > > > Personally, I don't know if it would make much sense to block off a
    > > > > range since you may block ranges of sites he visits. Security thru'
    > > > > obscurity is never a fix for anything.
    > > > >
    > > > > I know you stated 'as a temporary fix' and I also notice you

    included
    > > > > technical service advisor, I just hope you don't give any clients
    > > > > that advice.
    > > >
    > > > That actually isn't bad advice, you know. The IP range in question

    > > provides
    > > > DSL service rather than web hosting so it is unlikely that he will be
    > > > missing a site or two. The block is easily undone at the click of a

    > > button
    > > > and meanwhile the block will prevent both outgoing and incoming

    > > connections
    > > > from something that appears to be an ongoing problem while he figures

    > out
    > > > exactly what the problem is.
    > > >
    > > >

    > >
    > >

    >
    >
    triton, Jul 24, 2003
    #13
  14. On Thu, 17 Jul 2003 23:43:32 -0400, mto () said:
    >BTW, that RIPE IP# is in Great Britain, a dsl connection. If your firewall
    >saved a log of the time that this (and the others) incident occurred you
    >might be able to track down your hacker. GB and EU sometimes have much
    >better laws than here in the US about such things.


    I know this is a bit belated, but here goes (in case the original poster is
    still reading the thread)

    Computer Misuse Act 1990

    <URL:http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm>

    --
    Julie Brandon http://www.computergeeks.co.uk/
    _______________________________________________________________________________
    NOTE: "news.cis.dfn.de" -- access to this news server changing, for info see
    http://groups.google.com/groups?selm=
    Julie Brandon, Aug 2, 2003
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kráftéé

    Possible trojan..

    Kráftéé, Jan 12, 2004, in forum: Computer Support
    Replies:
    15
    Views:
    1,077
    Tergiversative
    Jan 15, 2004
  2. el duderino

    *possible* Trojan

    el duderino, May 7, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    537
    Boomer
    May 7, 2004
  3. Joel Rubin
    Replies:
    2
    Views:
    668
  4. D@Z
    Replies:
    5
    Views:
    740
    Liza Smorgaborgsson
    Jan 30, 2006
  5. jamesa01
    Replies:
    2
    Views:
    459
    Steve
    Feb 27, 2006
Loading...

Share This Page