Re: strange windows behaviour.

From: Harlan Carvey (
Date: 10/10/03

  • Next message: Karl Levinson: "Re: Spamming, 'hidden' mail server"
    Date: Fri, 10 Oct 2003 06:10:05 -0700 (PDT)

    > You've gotten some good advice already. FWIW, I
    > would not first suspect adware in either of the
    > cases below.

    I would agree. Too many times, that seems to be a
    stock answer, particularly from someone who deals with
    it all the time. I see it a lot, but I prefer to try
    and narrow down the usual suspects before resorting to
    running the adware/spyware removal tools.

    > Regarding the university report, the fact that
    > winservn.exe does not show up in a search
    > plus the fact that it is listening for inbound
    > connections does not make me think adware.

    I wouldn't be too concerned about Google, though that
    is a valid point. The fact that it's listening for
    connections should take priority, in my thinking.
    > In both incidents, I would want to save and submit
    > the responsible file to the anti-virus vendor for
    > inspection.

    Good call, though some of the work can be done by the
    person who actually has a copy of that file. Tools
    like strings.exe and Dependency Walker can give a
    really good view of that the file may be doing. Also,
    using a tool to get the file version information may
    also be enlightening.
    > Regarding the original poster's incident, knowing
    > the ports and remote IP addresses involved would be
    > helpful. If you haven't already, running one of the
    > previously mentioned port inspecting tools such as
    > Fport from that actually
    > tells you what executable is generating the traffic
    > should be done.

    Just a quick comment here...I recommend using fport,
    but as with any tool, one needs to understand the
    strengths and weaknesses of the tools used. Fport
    requires an admin account to work, whereas
    openports.exe from DiamondCS doesn't. Also, I know
    that inzider is bandied about quite a bit by SANS but
    before you use it, take a moment to read the author's
    web site on the tool (just b/c SANS recommends it
    doesn't make it a particularly good tool to use).

    > Inspecting firewall and IDS logs
    > for traffic from the affected machines or ports
    > and/or running a sniffer such as Ethereal, Windump
    > or Snort could be useful.

    True. I would recommend Ethereal, as it can do stream
    reassembly...that way, you can look at an entire
    "conversation" at once. However, keep in mind that
    WinDump and Snort can both capture in formats that can
    be opened by Ethereal.

    > [Windows Netstat utility
    > doesn't give you that information unless you're
    > running XP.]

    Netstat won't capture traffic on any Windows platform.
     Are you referring to the '-o' switch, which will list
    the PIDs associated with the connections on the far
    right-hand side of the output?


  • Next message: Karl Levinson: "Re: Spamming, 'hidden' mail server"