Very Hard to Locate Infection

Discussion in 'malware problems & news' started by michael_sharp, Jul 7, 2009.

Thread Status:
Not open for further replies.
  1. michael_sharp

    michael_sharp Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    8
    Good Afternoon,

    I have an issue and after lots of diagnostics I have managed to ascertain the infection is getting services.exe to send out spam over port 25. The infection itself is almost impossible to locate as it doesn’t appear to run longer then the initial boot time. Eset/Malware bytes cannot locate anything amiss. But the machine sends out messages over port 25 for a few seconds as these are being detected by a hardware firewall.

    Trying to locate the infection itself is proving to be difficult as there is no way to monitor services.exe during the boot up process to find out what is calling it and sending the instructions to send the spam.

    I am looking for any advice on one of the following areas to try and get this infection found so we can get it removed from the machine

    So far my ideas to get this worked out are:

    Monitor IRC ports/packets in some way to see if the machine is receiving any commands from an outside machine

    Intercept anything leaving on port 25 to review exactly what it is sending out and if really lucky potentially the installer for the virus so it can be examined by professionals.

    Or find some way of finding this infection. Any ideas are welcome and any guides/advice on the above ideas is more then welcome. Resources are not a problem for example a machine running as a bridged packet sniffer is acceptable. I am fairly ok with Linux so that is another avenue that is open.


    Thanks in advance for any help
     
  2. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    Did you try Nirsoft's Apps. - I don't know if his Curr Ports will help in your
    situation, but he has other sniffers etc., all his Apps. are good.

    http://www.nirsoft.net/

    Can you block Port 25 access for anything other than your Email App.
     
  3. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    If you like, I'll give you a key for Online Armor ++ Beta, see if that can help you nail this beast.

    PM me if interested.


    Mike
     
  4. michael_sharp

    michael_sharp Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    8
    Hi,

    Thanks for all the advice guys. Really appreciated!

    The virus was eventually found by Super Anti Spyware. Nasty little so and so.

    Can't remember it's name but I would advise as it seems to be hard to locate and has a very low detection rate that it would be a sensible idea to block port 25 access and enable logging to ensure computers aren't infected.
     
Loading...
Thread Status:
Not open for further replies.