Outbound irc.dal.net UDP on windows XP

Discussion in 'malware problems & news' started by Sion, Oct 23, 2002.

Thread Status:
Not open for further replies.
  1. Sion

    Sion Guest

    On windows XP whenever I establish a net connection outpost firewall reports a blocked connection to irc.dal.net. Obviously this rings Trojan bells so I ran Norton AV and the cleaner both returned nothing. I followed some common removal steps and can see nothing that indicates I have a Trojan other than this continuing connection that is blocked.

    Block NetBIOS Traffic *NetBIOS irc.dal.net NETBIOS_DGM Outbound UDP

    This only appears when I dial. There are no services running that look odd and I have tried looking at the lists that run and no service starts when I dial up either.
    I did a manual search and found a common Trojan that steals game passwords and apparently could cause this, but I am still getting the problem after removal (incidentally no antii virus picked this up). I did a registry sweep and found nothing in any of the common start ups although I did find that there was an exe bound to my htaccess startup... I disabled it and Outpost went nuts so I guess it must have been something to do with that (C:\WINNT\System32\mshta.exe "%1" %*” again if that was a virus nothing picked it up.
    I have checked every thing I can think of and in the end posted on the outpost forums thinking it might be a bug with Outpost and they advised I post here.

    I am running windows XP and all my virus definitions and Trojan lists on the cleaner are up to date. Has anyone got any clue what is going on?
     
  2. Sion

    Sion Guest

    sorry that was htafiles the odd binding, but it was removed and as I say all seems clean but nothing has picked this up.
     
  3. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Do you have IRC installed...see this link.


    http://help.dal.net/faqs/connections.html


    The name of the server you were trying to use when the problem occurred, and if the problem occurred on other servers. If you were using irc.dal.net, please tell us so, but also include the name of the server you were actually connected with (shown in the 'status' title bar or in the text near our contact information) since irc.dal.net is only a random placement alias.
     
  4. controler

    controler Guest

    Were you running an Mirc chat program that was trying to connect automatically at startup?
    it has been said that most antivirus only pick up on the older trojans
    OR the new most damaging ones.
    Did you delete the file using a good file wiper or can you get the file back with a good file recovery program and submit is to the TDS group here?
    There are some screwy IRC BOT programmers out there.
    They compromise many machines to do their evil deeds.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Please have a look at this site, but bear in mind it is rather old: http://www.nsclean.com/psc-exe2.html

    Regards,

    Pieter
     
  6. Sion

    Sion Guest

    This actually only happens the moment I dial up, there is no IRC programme open when this happens. It is as if the trigger for it is my dial up connection, also netstat does not revel anything either. I tried connecting without the firewall and again netstat does not show anything. I used the cleaner’s tools to view active process and again nothing there. There are no indications of a virus or a Trojan apart from this logged connection on outpost. Is there a virus that can be triggered by dial up connections? I use ADSL so have to dial in to connect, what registry entries would control that or enable some sort of script to run after the connection?

    I would just format but with the firewall blocking it there’s no problem and it is rather interesting =)
     
  7. Sion

    Sion Guest

    Also! this was the virus I removed...

    http://vil.nai.com/vil/content/v_99756.htm
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Sion,

    I would recommend disabling The Cleaner from starting up totally, grab a (trial) copy from TDS3 from our downloads page, install TDS, grab the latest database update (radius) from the DCS website and install this update in the TDS directory (overwriting the old one).

    Perform a full system scan after doing so. Have a look at the TDS forum for the basic TDS configuration.

    Keep us posted!

    regards.

    paul
     
Loading...
Thread Status:
Not open for further replies.