Stop Microsoft
Miscellaneous => The Lounge => Topic started by: Lennon on 30 September 2003, 21:28
-
I didn't manage to download a firewall and as soon as I connected and started downloading the sygate personal firewall (free and good firewall) i noticed that by the end of the 1mb download I had uploaded 40mb to someplace. So I got the firewall running and this thing was sending to some 239.255.255.250. After a search I found it had to do something with local networks but I had some SVCHOST.exe sending data there constantly. So i block it in the firwall.
Now the really weird thing. Some DLLHOST.exe file starts uploading like mad instead. I block it too and now after 6mb of uploaded data it stopped. It started uploading to EVERY IP starting with 62.193 62.192 62.191 62.190 or so I think. It keeps trying 100 IPs in a second but i blocked it. Even blocked, it is wasting my internet connection and its realllly slow. I can hardly use the damn thing.
I also got a file access monitor to see if it was drawing any files off my machine. I found that when I started IE it scanned my desktop and my whole C drive for data structure, and then opened the infamous CONTENT.IE/INDEX.DAT file and wrote to it. I'll deal with that later. But this is obviously all part of IE. Also it was accessing files so quickly i couldnt really catch what it was doing (the log file grows huge and the peice o sh*t is slow). I don't think it scanned my D drive.
Anyway, i never heard of this happening before. Am I being hacked? Why is this happening? I also found some remote PC control programs are in use some WMBP , Koreg authentication, object.something files bla bla...
I just came here to find out how to get linux back up and running cos i really need the net (i'm a webmaster!) and window$ is not only shit but I can't use the net at all. (You can help me with that problem in the Linux fourm, cheers)
-
now it stopped switching IPs and landed at
(port 8)
62.191.169.172
GeekTools Whois Proxy v5.0.2 Ready.
Checking access for 62.193.130.XX... ok. /* << my ip */
Final results obtained from whois.ripe.net.
Results:
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html (http://www.ripe.net/ripencc/pub-services/db/copyright.html)
inetnum: 62.191.0.0 - 62.191.255.255
netname: EU-UUNET-991026
descr: UUNET UK (Formerly PIPEX)
descr: PROVIDER
country: GB
admin-c: WERT1-RIPE
tech-c: UPHM1-RIPE
status: ALLOCATED PA
remarks: Please send abuse notification to [email protected]
notify: [email protected]
mnt-by: RIPE-NCC-HM-MNT
mnt-by: AS1849-MNT
changed: [email protected] 19991026
changed: [email protected] 20000229
changed: [email protected] 20000713
changed: [email protected] 20030513 # eu.uunet.ton via https://lirportal.ripe.net (https://lirportal.ripe.net)
source: RIPE
role: WCOM EMEA Registrar Team
address: UUNET
address: EMEA Network Services
address: J. Muyskenweg 22
address: NL-1096 CJ Amsterdam
address: The Netherlands
phone: +31 20 711 6000
fax-no: +31 20 711 6001
e-mail: [email protected]
admin-c: SC301-RIPE
admin-c: TONE1-RIPE
admin-c: AK111-RIPE
admin-c: HTV5-RIPE
tech-c: SC301-RIPE
tech-c: TONE1-RIPE
tech-c: AK111-RIPE
tech-c: HTV5-RIPE
nic-hdl: WERT1-RIPE
notify: [email protected]
mnt-by: AS1849-MNT
changed: [email protected] 20030202
source: RIPE
role: PIPEX Hostmaster
address: UUNET UK
address: Internet House
address: 330 Science Park
address: Milton Road
address: Cambridge
address: CB4 4BZ
address: UK
phone: +44 1223 250122
fax-no: +44 1223 250133
e-mail: [email protected]
trouble: Telephone number available 24x7
admin-c: WERT1-RIPE
tech-c: WERT1-RIPE
nic-hdl: UPHM1-RIPE
remarks: UUNET UK
mnt-by: AS1849-MNT
changed: [email protected] 19971009
changed: [email protected] 19971111
changed: [email protected] 19980402
changed: [email protected] 19981214
changed: [email protected] 20000224
source: RIPE
notify: [email protected]
changed: [email protected] 20030605
-
Where is this dllhost.exe file?
-
c:\windows\system32
c:\windows\system32\wins
-
what are the creation dates on those two files?
-
first one was modified on 23/08/2001
second (in wins directory) was modified (probably created too) on 28/09/2003
the first one is 5KB
second one is 10KB
-
in this wins directory, there is only that other file svchost.exe which is also sending stuff but only to that signle IP i mentioned.
dllhost seems to be searching for an IP similar to mine (first two digits) and it was just sending to IPs starting with 202.98. (i think those were the numbers)
-
http://www.pchell.com/virus/welchia.shtml (http://www.pchell.com/virus/welchia.shtml)
-
quote:
Originally posted by flap:
http://www.pchell.com/virus/welchia.shtml (http://www.pchell.com/virus/welchia.shtml)
Yep.
Lennon, it looks like in the time it took you to download a firewall, you were infected with a worm.
The very first thing you should download is all the security patches for any OS install.
-
Ah yes those viruses. Windoze is full of them. I just cant grasp how it got there, but hey. Maybe it was from an old download of Kazaa Lite which I installed or an OpenOffice windows version(it was on a CD). Kazaa is the prime suspect i suppose?
Anyway, thanks a lot, i removed it and it seems fine now. I did it without system restore so i hope the worm wont resurect...
What do you think were those 40 megs of uploaded data? Just searching for victims or were they downloading my mp3s or something (http://smile.gif) ?
-
No. It was a worm. You didn't install anything (and that's the problem--you needed to install security patches (http://smile.gif) ).
-
quote:
Originally posted by Lennon:
Anyway, thanks a lot, i removed it and it seems fine now. I did it without system restore so i hope the worm wont resurect...
What do you think were those 40 megs of uploaded data? Just searching for victims or were they downloading my mp3s or something (http://smile.gif) ?
Quirk is right. This was not a virus. It was a worm. Think of it as an automated script kiddie self replicating and hacking into all winNT/2k/xp machines connected to the internet without any action on your part. Unless you patch (http://windowsupdate.microsoft.com, accessible only through MSIE) you will get it, or a variant, again.
No matter what OS you run you must apply security patches if it is to be connected to the internet.
This particular worm was a well meaning attempt at countering the msblast worm, but it causes a bunch of problems by iteself. All that data was it trying to copy versions of itself, as well as the patch, to other computers.
-
quote:
Unless you patch http://windowsupdate.microsoft.com, (http://windowsupdate.microsoft.com,) accessible only through MSIE) you will get it, or a variant, again.
Not if he has a firewall. It doesn't matter how buggy your system is if it isn't open to the outside world. Unless the firewall is buggy too.
-
Why even bother with it?
Just try linux, It's FREE
-
he just said that he's about to get Linux back on the box
-
ITM