unknown.sagonet connection? whats this?

Hi I am a newbie who is using tds and port explorer, for the last few weeks I have had a connection unknown.sagonet on my machine which is leeching bandwidth I think, the ip is 207.150.164.168 and the country via port explorer is united states. Is this a virus or trojan or other exploit. Either way I was wandering how I could permenantly stp this connection.

Any recommendations or help appreciated
David

 

Hi there and welcome!
Yes that is a nasty, you should kill the connection immediately and find the things on your system also via the hijackthis log - review forum.

You most probably did not patch your windows, as this is an object-data exploit.
It is included in emails like those for the cheap software, medications, etc.
The object data exploit thing redirects you to a site to grab a download mstasks.exe (think it was, will come back after i look carefully for the exact names) which is a downloader for other malware, x.exe or z.exe, which installs the tiny proxy on your system, leaving backdoors and opening the gates for all who like a proxy, stealing your bandwith and resources; turning your system into a zombie, spammign around to spread the infection.
the first i was aware of redirected to fatbonuscasino and it is even located on the premium yahoo netservers. Even with many complaints yahoo never removed it, probably makes them good money.
The link changed various times, and the ownership, name of the domain changed too a few times.
Via via those are all tracable to China. Sagonet is involved too in the story, think the X.exe came from there.

NetRange: 207.150.164.160 - 207.150.164.169
CIDR: 207.150.164.160/29, 207.150.164.168/31
NetName: SAGO-207-150-164-160
NetHandle: NET-207-150-164-160-1
Parent: NET-207-150-160-0-1
NetType: Reassigned
Comment: NOCWorx SWIP Interface v1.5 - http://interworx.info
RegDate: 2004-06-24
Updated: 2004-06-24

AbuseHandle: ABUSE32-ARIN
AbuseName: Abuse Team
AbusePhone: +1-866-510-4000
AbuseEmail: abuse@sagonet.com

the VBS script resolves to:
revealign as Trojan.Proxy.Daemonize.T.Dropper
The payload appears to be Trojanhorse Dropper. Inor J ,
Trojanhorse Downloader. Small BG and
Trojanhorse Proxy.4.AM
in the meantime probably more


mstasks.exe
The mstasks.exe file is a UPX compressed executable. When decompressed
it has its own code to do some stuff (it includes the strings
"Olive System"
"SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
"\suchost.exe"
"\suchostp.exe"
"suchostp.exe -p%u"
"suchostp.exe"
"SOFTWARE\Microsoft\Mctest\"
"SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
"cmd.exe /K del %s"

so we have a spammer installing a proxy on victims' machines, converting
them into the spammer's own spam-zombies, or worse.

The SUCHOST.EXE file sends a html message to a server

fatbonuscasino is an alias for p2.geo.premiumservices.yahoo.com
777onlineslot is an alias for geo.premiumservices.yahoo.com
both belonged to some Belgian guy, now it's another owner.
wildwincasino is one if the redirects too,
located at
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com
casinomeister,
bethehealer,
NS.conet.net are involved too, and lots more..

Had at a certain moment emails which seemed empty, but in the source the exploit was visible all time.

End of May the business went to an Israelian owner, did not follow exactly what happened after that.

ramisoft was part of it, located the nasties here
NS1.SAGONET.COM 66.118.128.2
NS2.SAGONET.COM 66.118.128.3


All together [highlight]this is a rather serious condition[/highlight], think of sensitive data, creditcard numbers, bank accounts, all that. So get clean and rid of those nasties, when all clean and updated and all that change all passwords, even the most unimportant ones.
Your computer at the moment is a highway-zombie on the internet!




So please first of all, good you have Port Explorer with which you now have seen trojan behavior in action and which is part of the story. You might like a few moments to spy on a few datapackets from such connections to gather some proof for yourself, but don't leave that up too long as the capture.bin grows fast!

In the meantime please update your windows via the windows update site and if there look carefully if you are really there and not redirected (spoofed) to one of their fake sites.
Maybe to avoid that you like first to clean out via Hijackthis, see the instructions and how to post in that forum in [thread]15913[/thread]

BTW: to be able to post there, you need to join the forum as a member (which is free of course)

Please post back your next experiences!

 

I'm seeing unknown.sagonet in my stats for my web site, what's up with that? It 'visited' my site 450 some times last month. Is it acting as a spider, or is it just someone's PC that is infected that is being hijacked for some use?

 

I found some info about this sago thing... Its from a company called Sago Networks.

Name: Technical Support
Handle: TECHN20-ARIN
Company: Sago Networks
Address: 4465 W. Gandy Blvd.
Address: Suite 800
City: Tampa
StateProv: FL
PostalCode: 33611
Country: US
Comment:
RegDate: 2002-11-08
Updated: 2002-11-08
Phone: +1-866-510-4000
Email: *******@sagonet.com

 

Please see my description above about the infection and which files to look for etc. etc........

PS: since we officially don't have the HJT cleanout service, you can either in this case post your HJT log or autostartViewer log (use all options to make it complete) here or submit to support@diamondcs.com.au (when a mod asks for it you have permission to have it checked) or you could have it done on one of the ASAP forums where the service is still available.

 

So what causes this to happen exactly?

 

You might have clicked an infected spam mail sending you to such an auto-download - installation and transforming your system in a digital highway (open proxy) and users doing everything on your system they want, including storing discutable websites, not mentioning storing or using sensitive information. So best prevent infection and if infected get rid of it like described.

 

Sagonet is a datacenter, in case anyone doesn't know, servers are where people put their webservers. I would recommend you contact them personally about your problem, if someones mis-using their services (As I suspect) them they are the type to take a hard-line on it.

 

I did explain sagonet what's going on, forwarded the thread, whole internet is filled with discussions about them, IP's blocked and blacklisted elsewhere, so they really must be aware what's going on. Thousands of thousands complaints have gone there if you look in the internet abuse lists.
And then i can't think this reaction is the "hard line" is it?
Quote from sagonet to me:

As you see it really doesn't help, just block the whole IP range in your firewall and Port Explorer, clean out the system for eventual garbage and stay away from everything which could infect your system.