Intercept a trojan? dynamics

Discussion in 'other security issues & news' started by virtualsecurity, Jul 8, 2012.

Thread Status:
Not open for further replies.
  1. virtualsecurity

    virtualsecurity Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    7
    Location:
    italy
    I have a lot of strange calls on high ports , I intercepted calls consecutive in dynamic and private ports 40000-65000 the packet is consecutive , start with DNS PROTOCOL , they change with HTTPS , consecutive related packets of 9 / 10 for session .

    calls are made ​​by symantec i analyzing packets , but i have imposted symantec for works standard port , i have disabilited autoupdate automatic , are too frequent to be symantec. packet is strange.

    I have other calls on those doors 40000-65000 and not have installed anything software than working in the service port, infact HIDS tells me that finds open ports , but nothing is installed and does not recognize any process;

    suspect is a virus, probably Sinowal Trojan , because it hides it well, the antivirus not identifie ; also this process often involves NT authority system registry windows often , and \ System32 \ scvhost.exe probably mixed with the process of windows, by pretending to be legitimate .

    so I tried to download a specific tool , Strangely the tool fails to work, I get a message. tools obsolete and always stops the scan ; I upgrade the version , but the message is repeated , links appear on the tool and asked me to update it , restart but compare more advice .

    perhaps it is another symptom that is just Sinowal or something like that , MBR rootkit.

    you have any advice to be able to intercept? start first in memory and is able to hide from normal antivirus .
    norton power eraser ; should be very good for this type of virus, but I get an errors .

    an anti-rootkit tool very strong it starts first in memory ?

    thanks
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
Loading...
Thread Status:
Not open for further replies.