Ntoskrnl.exe

[controler]

I woke this morning to the warning screen from Sygate, telling me
an outgoing attemp had been made by Ntoskrnl.exe. I do net have Windows XP set to autoupdate.
What other program would be trying to connect to change my Kernel?




Application has changed since the last time you opened it, process id: 4
Filename: C:\WINDOWS\System32\ntoskrnl.exe
The change was denied by user.

---- Modules changed: 1 ----
C:\WINDOWS\System32\ntoskrnl.exe
---- New modules: 0 ----

[Patrice]

Hi controler,

when you trace this address you receive the following information:

Resolve IP: 216.136.226.209
Full name: cs30.msg.sc5.yahoo.com

Any clues why it wants to connect to Yahoo? Ntoskrnl.exe is the most important file in Windows, it's the core. Normally only an update changes this file...

Regards,

Patrice

[CrazyM]

Hi controler

Quote:

quoting: controler link=board=23;threadid=9340;start=0#61145 date=1053268319]
I woke this morning to the warning screen from Sygate, telling me
an outgoing attemp had been made by Ntoskrnl.exe. I do net have Windows XP set to autoupdate.
What other program would be trying to connect to change my Kernel?

Do you have any more log details on the type of outbound ICMP? The destination IP comes back to Yahoo.

Quote:

Application has changed since the last time you opened it, process id: 4
Filename: C:\WINDOWS\System32\ntoskrnl.exe
The change was denied by user.

---- Modules changed: 1 ----
C:\WINDOWS\System32\ntoskrnl.exe
---- New modules: 0 ----

Do you have existing rules for this .exe? Does Sygate provide you with details the last time that particular .exe was authenticated? Have you done any major system updates since then that could account for this prompt?

Regards,

CrazyM

[controler]

Walwatcher diidn't log it and here is the info from the Sygate
Packet viewer.
I also posted all my system info on the NOD32 Beta thread yesterday, Since it was requested. I am having that same problem updating NOD.
I did leave Yahoo IM on all night also.

05/18/2003 09:53:36***scs.msg.yahoo.com [216.136.233.137]***80***192.168.1.100***2807***Outgoing***Allowed***C:\Program Files\Yahoo!\Messenger\YPager.exe
***
05/18/2003 09:53:36***scs.msg.yahoo.com [216.136.233.137]***80***192.168.1.100***2807***Incoming***Allowed***C:\Program Files\Yahoo!\Messenger\YPager.exe

05/18/2003 09:53:36***scs.msg.yahoo.com [216.136.233.137]***80***192.168.1.100***2807***Incoming***Allowed***C:\WINDOWS\System32\DRIVERS\ndisuio.sys

all these allows of the ndisuio driver even though I had Sygate set to block , now I see it has been changed to none of the three, (allow, block or ask) I didn't change it either *
***

[controler]

Now after resetting the driver to ask, I get the Sygate pop up telling me that that same IP wants to use the driver.
05/18/2003 09:53:36 scs.msg.yahoo.com [216.136.233.137] 80 192.168.1.100 C:\WINDOWS\System32\DRIVERS\ndisuio.sys
I had Yahoo pager set to not autoupdate before also.
Something fishy going on here today.

[controler]

These are the only entries I can find in my Walwatcher Log

[controler]

Not sure how this came about but I now see Sygate is set to ALLOW
Ypager.exe and yupdater.exe
will change back to ask and see what happens. I see the Sygate
popup for the driver stopped now also after resetting that to ask.

[controler]

Now I get this popup but the whole thing that bothers me is the
warning I got this morning with trying to use the NT Kernel.
I don't think that is a normal part of Yahoo's updating system anyway, is it?

File Version :******5, 5, 0, 1244
File Description :***Yahoo! Messenger
File Path :******C:\Program Files\Yahoo!\Messenger\YPager.exe
Process ID :******BC0 (Heximal) 3008 (Decimal)

Connection origin :***local initiated
Protocol :******TCP
Local Address : ***192.168.1.100
Local Port :******3466
Remote Name :******shttp.msg.yahoo.com
Remote Address :***216.136.173.183
Remote Port : ******80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 62)
***Destination: ***00-20-78-db-f7-49
***Source: ***00-02-3f-35-f0-b3
Type: IP (0x0800)
Internet Protocol
***Version: 4
***Header Length: 20 bytes
***Flags:
******.1.. = Don't fragment: Set
******..0. = More fragments: Not set
***Fragment offset:0
***Time to live: 128
***Protocol: 0x6 (TCP - Transmission Control Protocol)
***Header checksum: 0xdb41 (Correct)
***Source: 192.168.1.100
***Destination: 216.136.173.183
Transmission Control Protocol (TCP)
***Source port: 3466
***Destination port: 80
***Sequence number: 2039725813
***Acknowledgment number: 0
***Header length: 28
***Flags:
******0... .... = Congestion Window Reduce (CWR): Not set
******.0.. .... = ECN-Echo: Not set
******..0. .... = Urgent: Not set
******...0 .... = Acknowledgment: Not set
******.... 0... = Push: Not set
******.... .0.. = Reset: Not set
******.... ..1. = Syn: Set
******.... ...0 = Fin: Not set
***Checksum: 0x9fdd (Correct)
***Data (0 Bytes)

Binary dump of the packet:
0000: 00 20 78 DB F7 49 00 02 : 3F 35 F0 B3 08 00 45 00 | . x..I..?5....E.
0010: 00 30 70 A0 40 00 80 06 : 41 DB C0 A8 01 64 D8 88 | .0p.@...A....d..
0020: AD B7 0D 8A 00 50 79 93 : BE F5 00 00 00 00 70 02 | .....Py.......p.
0030: 16 D0 DD 9F 00 00 02 04 : 05 B4 01 01 04 02 | ..............

[controler]

Google search of yahoo ntoskrnl

http://www.winehq.com/hypermail/wine-devel/2002/09/0365.html

http://www.softnews.ro/public/cat/13/9/13-9-1.shtml

http://www.derkeiler.com/Newsgroups/microsoft.public.security/2002-10/6055.html

ALTERNATIVE SMILEYS FOR YAHOO! MESSENGER I downloaded last week

http://www.cyberproservices.com/yahoo/alternativesm.htm

[Patrice]

Hi controler,

Now I begin to understand. Actually I do believe that the Yahoo Messenger is responsible for this whole process. If you have done an update of it, it's quite possible that the ntoskrnl.exe has changed. So, then it's nothing to worry about.

But actually I wouldn't leave the Messenger on all night long. What a nice platform to attack your system!

Best regards,

Patrice