New very stealthy 'chatty' Worm or MS bug?
From: bz (bz+csmacav_at_ch100-5.chem.lsu.edu)
Date: 04/23/04
- Next message: Votive: "Re: Anonymous Proxy Detection"
- Previous message: bz: "New very stealthy 'chatty' Worm or MS bug?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 23 Apr 2004 11:07:09 +0000 (UTC)
I have been observing a strange behavior and can't figure out what is going
on: several windows machines are 'chatting' continuously with my WinNT 4
PDCs/BDCs on my NT domain. The virus, worm, or MS-BUG is quite stealthy,
whatever it is. It appears to run on at-least winXP and win2k.
The traffic looks somewhat like that documented at
http://www.mynetwatchman.com/kb/security/articles/iraqiworm/iraqitrace.htm
in that there are a lot of SMB packets and AndX requests.
TCPview.exe shows that each of these 'chatty' machines maintains an
ESTABLISHED connection with one of my domain controllers. The data volume
for each of these connections seems significant.
I have checked several of the machines that are acting strange. NAV is up-
to-date. MS patches are up-to-date. I can't see anything 'strange' running.
I cloned a copy of the hard drive of one of the chatty machines(a win2k pro
machine). I have the clone running under VMware. I had to change the IP
address, name and SID in order to get the clone to run properly. Before I
changed the SID, I found that neither machine was chatting. Attempting to
put two machines into the domain, with the same SID, kicked both machines
OUT of the domain because it broke the trust relationship with the domain.
I had to remove each from the domain, and re-add them after fixing the SID
conflict, before chatting resumed.
Examining the hard drive contents from an independent operating system, I
have yet to find any malware running. I do notice that the 'explorer'
process name is displayed as 'explorer.EXE' in the task manager. This may
or may not be a clue, as FC says that the the running copy of explorer is
identical to the explorer.exe that is running on the 'healthy' host
machine. Of course, a DLL that explorer invokes might be the villian.
I have discovered that, using MSconfig, IF I disable the 'net logon'
service on the cloned machine, and restart the machine, the chatting stops,
but it is not the 'net logon' service itself that is the problem. If I then
enable 'net logon', chatting starts. Disabling or stopping 'net logon' does
NOT stop the chatting. The system must be restarted, with 'net logon'
disabled, before chatting stops.
Where I should look next, please? This one has me stumped.
Finally, I cross posted this to alt.comp.anti-virus at the request of one
of the other sysops on campus. I am setting followUp to comp.security.misc
because our campus news server does not carry that alt group and I am NOT
sure that the problem I am seeing is a virus. It could also be a bug in a
recent MS critical update that only shows up on some machines.
-- bz please pardon my infinite ignorance, the set-of-things-I-do-not-know is an infinite set. bz+csmacav@ch100-5.chem.lsu.edu
- Next message: Votive: "Re: Anonymous Proxy Detection"
- Previous message: bz: "New very stealthy 'chatty' Worm or MS bug?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
