Help with undetectable Worm?!

Discussion in 'malware problems & news' started by sgtstadanko, Jun 21, 2006.

Thread Status:
Not open for further replies.
  1. sgtstadanko

    sgtstadanko Registered Member

    Joined:
    Jun 21, 2006
    Posts:
    1
    Hey All,

    I am having what looks to be some kind of RPC worm problem that I
    cannot find the answer to.

    Yesterday i noticed a ton of firewall connections coming from 7
    different subnets inside my private network out to the Internet all
    going to port 135 on the following the address 68.178.232.99. I did a
    whois lookup and this is a parked domain with godaddy.com. I called
    them and they block traffic to 135 at their firewall so they were not
    concerned. I was though...no telling what this thing is doing. I
    remote desktopped into one of the machines and ran netstat -ano
    |findstr ":135" and looked up the PID in the task manager and it was
    one of the svhost.exe processes making the the connection. To dig
    further, I installed Sysinternals Process Explorer and was able to see
    that the machine is making multiple connections from diff local ports
    (all to 68.178.232.99:135. At this point I was thinking it was some
    kind of Blaster variant/Trojan/Spyware. However no know tool can find
    anything. I have tried the following:

    Symantec, Norton AV, AVG, Windows One Care, Windows Defender, HiJack
    this, TrendMicro online scanning, Symantec Blaster Removal, Windows
    Maliscious Software Removal Tool.

    None of these detected a thing. The system in question is running XP
    SP2 with all the latest updates and has Auto Update turned on. The
    process is starting up right after a user logs in and runs until
    logout. I installed Wireshark (open source sniffer) and ran some
    packet captures. Here are some of the things it is doing:

    Issuing 1 byte TCP Keep Alive requests from port 1911 to port 135 on
    68.178.232.99.
    Issuing 20 and 4 byte TCP Syn/Acks to 68.178.232.99 and recieving
    replys back from.
    Makes HTTP get request to 68.178.232.99 for wpad.dat (which isnt there,
    the site redirects to a park domain page at godaddy.com) I can see the
    ascii of the html layout of the page in the dump.

    I called MS and spoke to someone at their "PC Safety Virus and Spyware"
    center. Let's just say, he wasn't very helpful. After an hour of him
    putting me on hold and having to explain what was going on like 10
    times, he told me to call my SysAdmin (I am the sysadmin!) and then to
    call the main MS Customer Service number. That was a loooot of fun.

    I could just block this all at my firewall (I have a 37 site frame
    network that all routes through one central office), but I want to know
    what this is and what it is doing. I have exhausted all of my other
    geek resources locally and googled til my fingers bled.

    Any ideas?

    Thanks,
    B.

    PS...sorry for the long post ;)
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Interesting post and i will just watch as it,s all fiction to me.
     
  3. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Is there also a .pac file on the machine (eg. proxy.pac) ?
     
  5. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Port 135 connections, this seems to be a windows service or process. From my thinking it is some program using svchost.exe to make the connections to port 135.
    Remote Procedure Call I guess.

    TCP Port 135

    Common Use

    Microsoft Remote Procedure Call (RPC) service.
    Inbound Scan

    Currently inbound scans are likely the Nachi or MSBlast worms.
    Outbound Scan

    Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated.
    Additional Information


    The programs did not detect anything, did you ensure that all of your detection programs are up-to-date first before scanning? Tried checking some of windows' services that are popular with security exploits?
    .pac files, that's if there's a proxy program routing through a service.
     
  6. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    or check your rootkit... google "rootkit scan" or somthing like that
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    NOD32 didn't find anything either?
     
Loading...
Thread Status:
Not open for further replies.