Security Incidents mailing list archives

RE: Probable Trojan.

From: "Mark E. Donaldson" <markee () bandwidthco com>
Date: Tue, 28 Oct 2003 21:33:14 -0800

This is a normal abnormality.  It is explained in the MSDN article linked
here: http://msdn.microsoft.com/msdnmag/issues/02/06/debug/default.aspx

Here is a quote from the article:

"the path names returned by GetModuleFilenameEx or the TOOLHELP32 module
functions are very strange; they don't follow the Win32 standard. For
example, smss is retrieved as "\SystemRoot\System32\smss.exe"; "\SystemRoot
must be replaced by the actual name of the Windows folder. For winlogon, you
get "\??\C:\WINNT\system32\winlogon.exe," which should be translated into
"C:\WINNT\system32\winlogon.exe." The \??\ prefix might be a leftover from
the Windows NT namespace root, essential in kernel mode, even though it is
rarely used at the Win32 programming level."

-----Original Message-----
From: Gene [mailto:flyersfanindc () yahoo com]
Sent: Monday, October 27, 2003 11:50 AM
To: incidents () securityfocus com
Subject: Probable Trojan.




Have a buddy complaining about his AOL account password being stolen every
time he logs onto AOL from his PC at work.  I talked him through doing an
fport on his box and he sent me the results:


Pid   Process            Port  Proto Path
8     System         ->  1097  TCP
8     System         ->  139   TCP
8     System         ->  445   TCP
1916  aolwbspd       ->  11523 TCP   C:\Program Files\America Online
9.0\aolwbsp
d.exe
676   OUTLOOK        ->  1125  TCP   C:\Program Files\Microsoft
Office\Office10\
OUTLOOK.EXE
676   OUTLOOK        ->  1129  TCP   C:\Program Files\Microsoft
Office\Office10\
OUTLOOK.EXE
856   MSTask         ->  1051  TCP   C:\WINNT\system32\MSTask.exe
988   svchost        ->  1132  TCP   C:\WINNT\system32\svchost.exe
988   svchost        ->  1134  TCP   C:\WINNT\system32\svchost.exe
988   svchost        ->  1139  TCP   C:\WINNT\system32\svchost.exe
452   svchost        ->  135   TCP   C:\WINNT\system32\svchost.exe

8     System         ->  137   UDP
8     System         ->  138   UDP
8     System         ->  445   UDP
1820  waol           ->  1849  UDP   C:\Program Files\America Online
9.0\waol.ex
e
1688  IEXPLORE       ->  1191  UDP   C:\Program Files\Internet
Explorer\IEXPLORE
.EXE
1856  IEXPLORE       ->  1784  UDP   C:\Program Files\Internet
Explorer\IEXPLORE
.EXE
676   OUTLOOK        ->  1126  UDP   C:\Program Files\Microsoft
Office\Office10\
OUTLOOK.EXE
676   OUTLOOK        ->  1127  UDP   C:\Program Files\Microsoft
Office\Office10\
OUTLOOK.EXE
676   OUTLOOK        ->  1182  UDP   C:\Program Files\Microsoft
Office\Office10\
OUTLOOK.EXE
800   rtvscan        ->  2967  UDP   C:\Program Files\NavNT\rtvscan.exe
268   lsass          ->  500   UDP   C:\WINNT\system32\lsass.exe
228   winlogon       ->  1053  UDP   \??\C:\WINNT\system32\winlogon.exe


I'm really concerned with the last one:

228   winlogon       ->  1053  UDP   \??\C:\WINNT\system32\winlogon.exe


I've found some things on the net that say it's legit, I've found others
that say it's indicative of a backdoor.  I ran fport on my box and did not
have any entries like that.  Does anyone have any information on this?  Are
there other entries that attract anyone else's attention?

Your help is appreciated.

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

Current thread:

Probable Trojan. Gene (Oct 28)
- Re: Probable Trojan. Brian Eckman (Oct 28)
  - Re: Probable Trojan. Harlan Carvey (Oct 28)
- RE: Probable Trojan. Mark E. Donaldson (Oct 28)
- RE: Probable Trojan. Jim Butterworth (Oct 29)
- <Possible follow-ups>
- RE: Probable Trojan. Thompson, Jimi (Oct 28)
- Re: Probable Trojan. debrasuz (Oct 28)