CLOSING NETBIOS

Discussion in 'malware problems & news' started by wordsmith, Aug 23, 2006.

Thread Status:
Not open for further replies.
  1. wordsmith

    wordsmith Registered Member

    Joined:
    Aug 23, 2006
    Posts:
    1
    hello all...

    i'm new here and have a few questions...

    first, my adventure began on monday, when my norton firewall (which is from 2004 - i haven't updated it because i use the trendmicro housecall online virus scan) gave me an alert that a trojan had been blocked. it was called DMSetup Trojan horse and it was from ip address 59.28.211.101:1103.

    i did some research and found out about the netstat.txt file, so i ran it and found the following:

    Active Connections

    Proto Local Address Foreign Address State
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    TCP 69.244.253.97:139 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:1033 0.0.0.0:0 LISTENING
    UDP 0.0.0.0:445 *:*
    UDP 0.0.0.0:500 *:*
    UDP 0.0.0.0:4500 *:*
    UDP 69.244.253.97:123 *:*
    UDP 69.244.253.97:137 *:*
    UDP 69.244.253.97:138 *:*
    UDP 69.244.253.97:1900 *:*
    UDP 127.0.0.1:123 *:*
    UDP 127.0.0.1:1900 *:*
    ____________________________________________________________

    last night i ran an updated trendmicro housecall scan & it came up with nothing....then i downloaded & ran "The Cleaner" - which is supposed to be specifically for trojans. the only thing it came up with were two test files from an old version of mcafee on my computer.

    i ran netstat.txt again this morning & this is what it said:

    Active Connections

    Proto Local Address Foreign Address State
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    TCP 69.244.253.97:139 0.0.0.0:0 LISTENING
    TCP 69.244.253.97:1037 207.138.126.169:80 ESTABLISHED
    TCP 69.244.253.97:1038 207.138.126.169:80 ESTABLISHED
    TCP 69.244.253.97:1039 207.138.126.169:80 ESTABLISHED
    TCP 69.244.253.97:1040 207.138.126.169:80 ESTABLISHED
    TCP 69.244.253.97:1043 207.138.126.144:80 ESTABLISHED
    TCP 69.244.253.97:1044 207.138.126.144:80 ESTABLISHED
    TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:1025 127.0.0.1:1033 ESTABLISHED
    TCP 127.0.0.1:1025 127.0.0.1:1034 ESTABLISHED
    TCP 127.0.0.1:1025 127.0.0.1:1035 ESTABLISHED
    TCP 127.0.0.1:1025 127.0.0.1:1036 ESTABLISHED
    TCP 127.0.0.1:1025 127.0.0.1:1041 ESTABLISHED
    TCP 192.168.100.11:139 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:1025 127.0.0.1:1042 ESTABLISHED
    TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:1033 127.0.0.1:1025 ESTABLISHED
    TCP 127.0.0.1:1034 127.0.0.1:1025 ESTABLISHED
    TCP 127.0.0.1:1035 127.0.0.1:1025 ESTABLISHED
    TCP 127.0.0.1:1036 127.0.0.1:1025 ESTABLISHED
    TCP 127.0.0.1:1041 127.0.0.1:1025 ESTABLISHED
    TCP 127.0.0.1:1042 127.0.0.1:1025 ESTABLISHED
    UDP 0.0.0.0:445 *:*
    UDP 0.0.0.0:500 *:*
    UDP 0.0.0.0:1030 *:*
    UDP 0.0.0.0:4500 *:*
    UDP 69.244.253.97:123 *:*
    UDP 69.244.253.97:137 *:*
    UDP 69.244.253.97:138 *:*
    UDP 69.244.253.97:1900 *:*
    UDP 127.0.0.1:123 *:*
    UDP 127.0.0.1:1029 *:*
    UDP 127.0.0.1:1900 *:*


    WHY DOES IT SAY "ESTABLISHED" NOW? i tried to block the ip addresses 69.244.253.97 and 127.0.0.1, but i had to reinstate 69.244.253.97 so that my internet would work.
    i've been doing some more research this morning & i read that it's best to shut down ports 135-139 and port 445 (the netbios?)....

    what i need to know is...

    1. does everyone agree that it's wise to shut down my netbios (port 445) and ports 135-139?
    2. what would be the consequences, if any?
    3. what are the "foreign" ip addresses in my netstat report?
    4. has anyone dealt with the DMSetup Trojan horse before?

    i'll follow the instructions in the "general cleaning" file since there are a couple of things i haven't done....Thank you for any help you can give!!!
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i cant speak for everybody, but i always shutdown netbios.

    i disable the service, disable it for my network adapter and use Windows Worms Doors Cleaner (WWDC) to make sure its shutdown.
    i believe it negatively affects File and Print sharing.
     
  3. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    1) It is wise to shutdown Netbios ports because they allow file sharing between windows computer. this means that unauthorized computers on the internet could possibly use these ports to explorer your computer, do damage, infect you, etc.

    2) The consequences of disabling netbios is that you won't be able to do local filesharing via netbios and browse network places, but this can be replaced by ssh, vnc, etc.

    3) The foreign ip address is actually your own. 127.0.0.1 is what is commonly referred to as localhost, and is what is called a "loopback" connection which is used by applications on your computer to communicate with themselves

    4) I have never personally dealt with that trojan before, but Norman has provided a detailed procedure on how to manually remove it.

    Cheers,

    Alphalutra1
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,703
    Hello,
    I keep netbios open. It's useful for home networking. There's no danger as long as you have a firewall.
    Mrk
     
  5. ConstantLearning

    ConstantLearning Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    157
    Hi wordsmith,

    I've sent a PM on a detail I noticed that may put you at increased risk which is why I've told you via Private Message rather than posting it.

    I am no expert, far from it, but I do know a little about this one particular detail.

    Best of luck with whatever choices you make, wish I had something to add re your questions.

    ~ CL
     
  6. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I once used WWDC to shut my netbios ports on port 445. But that cut off my internet connection permanently and I had to do a system restore back. I consulted my ISP's technician and he said port 445 is needed for my internet service to function. :ouch:

    Too much security hurts sometimes.:ouch:
     
  7. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    There are allways some vulnerabilities exploiting thanks to NetBIOS.
    Once it is disabled, you do not need about half of Windows updates.

    I allways disable it, but I have to enable it, to be able to start DHCP service.
    If it is disabled, DHCP will not start. I am lucky, my IP does not change to often.

    Disable NetBIOS, restart PC and if everything works, then most likely you do not need it.
     
  8. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    I closed Net BIOS Control Pannel/Network conections/Properties/TCP/IP/Properties/Advanced/WINS?Disable NetBios over TCP/IP. I used WWDC for disabling DCOM (135); LOCATOR (port 445); UPNP (port 5000); Msg (Messenger).
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    If all your computer (applications, programs) can function without it and your not sharing then I suppose why not.
    A firewall as said before will protect though, disabling depends on what your doing with the machine.
    Sounds like your firewall is working
     
  10. herbalist

    herbalist Guest

    That holds true only if your firewall never fails. Specific attacks and exploits are known for many software firewalls. Viruses have been released that directly attack firewalls. Some fail from their vendors own poorly written updates. One missed firewall attacking virus is all it would take to leave you wide open to attack. Closing ports by configuration is always preferable to closing them with a firewall.
    Rick
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,703
    Hello,
    Why should the firewall fail? I have never seen a firewall, of any kind, ever fail, since 1999 or so. Although it may be nice to have all ports closed by default, I prefer functionality over that - this goes for gaming, p2p, printer sharing.
    Mrk
     
  12. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    If it crashes, the user accidently turns it off to get rid of all of those "annoying popups", the firewall doesn't load when windows starts for some reason aka the driver wasn't installed correctly, so kind of malware goes and shuts the firewall down, etc.

    Cheers,

    Alphalutra1
     
Loading...
Thread Status:
Not open for further replies.