This is really strange...

From: I.L.B. (suricata_2_at_hotmail.com)
Date: 12/30/04 

Date: Thu, 30 Dec 2004 16:56:32 +0100

Thanks guys, but I just ran the scanners you told me with no results....

This is really strange: It keeps happening!. It happened just after
re-install Windows XP, when trying to update it to SP1 and SP2.... that's
when the outbound bursts began. I can turn off the network connection, I
restart it again... then after a few seconds, the bursts of outgoing packets
start... when running NETSTAT, I see first, an ESTABLISHED connection to
"unknown.sagonet.net:6667" (to an IRC port!!!), then it comes the stream of
outbound packets, from 3000 to 4000 ports and so on... with no end!!. In the
meanwhile I have no access to web surf nor anything regular, just bursts of
TCP packets flying away from my computer.

And it happened just when I re-installed XP, so ain't got time to download
any virus or worm or anything.

If that sounds familiar to any of you, please help me. Thanks...

"I.L.B." <suricata_2@hotmail.com> wrote in message
news:cr0i45$nu2$1@nsnmpen2-gest.nuria.telefonica-data.net...
> Hi all ;
>
> I am just experiencing a strange kind of infection I don't know wether is
a
> new worm or not, as I never seen it before. The situation is next:
>
> - I am running a computer with both Win98 and XP installed.
> - My Win98 session works OK
> - When I start an XP session, and I do activate my network connection... I
> start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
> activity light is flickering like crazy... what happens??
> - I check the Status of the connection, and I see dozens of outbound
packets
> per second, and almost nothing incoming. Strange...
> - I run NETSTAT to see what it happens. I see a LOT of outbound TCP
> connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
> on... no way to stop it !. All of these netstat entries end at some
strange
> IPs at EPMAP port.
> - I run TaskManager, and I see a lot of started process of "SVCHOST" and
> "IEEXPLORE" (about 5 or 6 instances of each one started).
>
> I just checked for Sasser, Welchia worms, but the tools said I don't have
> these worms on my computer...
>
> Any ideas? Thanks !!
>
>
>

Relevant Pages

  • This is really strange...
    ... This is really strange: It keeps happening!. ... outbound packets, from 3000 to 4000 ports and so on... ... > new worm or not, as I never seen it before. ...
    (comp.security.firewalls)
  • Re: Worm never seen before
    ... svchost is the generic windows services host process and multiple instances ... As to the burst of data outbound, ... > I am just experiencing a strange kind of infection I don't know wether is ... > these worms on my computer... ...
    (comp.security.firewalls)
  • Re: Worm never seen before
    ... svchost is the generic windows services host process and multiple instances ... As to the burst of data outbound, ... > I am just experiencing a strange kind of infection I don't know wether is ... > these worms on my computer... ...
    (microsoft.public.windowsxp.security_admin)
  • Re: 1-to-many port "scan"s?
    ... TTLs vary wildly between successive packets, ... But the actual sequence looks strange. ... the correct response. ... you are worried about flooding your upstream use the limit module to limit ...
    (comp.os.linux.security)
  • RE: how to trace what is accessing the nic ?
    ... how to trace what is accessing the nic? ... > There is happening something very strange on one of our Linux ... > packets to always the same private address. ... This e-mail message is private, is intended for the recipient named in it and may contain material which is confidential and privileged. ...
    (Security-Basics)
Quantcast