Security Incidents mailing list archives
Re: strange windows behaviour.
From: Karl Levinson <levinson_k () despammed com>
Date: 9 Oct 2003 14:10:40 -0000
In-Reply-To: <20031007170330.GI1196 () sparky finchhaven net> You've gotten some good advice already. FWIW, I would not first suspect adware in either of the cases below. Regarding the university report, the fact that winservn.exe does not show up in a Google.com search plus the fact that it is listening for inbound connections does not make me think adware. In both incidents, I would want to save and submit the responsible file to the anti-virus vendor for inspection. Regarding the original poster's incident, knowing the ports and remote IP addresses involved would be helpful. If you haven't already, running one of the previously mentioned port inspecting tools such as Fport from Foundstone.com/knowledge that actually tells you what executable is generating the traffic should be done. Inspecting firewall and IDS logs for traffic from the affected machines or ports and/or running a sniffer such as Ethereal, Windump or Snort could be useful. [Windows Netstat utility doesn't give you that information unless you're running XP.] Plus pretty much all the standard procedures one would do for incident response and inspection of mystery executables, as detailed in the Osborne book "Incident Response," at www.cert.org/tech_tips, http://csrc.nist.gov, etc.
Date: Tue, 7 Oct 2003 10:03:30 -0700 From: John Sage <jsage () finchhaven com>
I've got a bit of a problem, and I was wondering if anyone on this list has seen similar things. Recently, we've been having student windows machines on our residential network begin spewing large, massive (on the order of hundreds of thousands in a few hours) spam messages at our mail servers. We promptly disconnect the machines and head down to do some forensic work on the boxes when we get a chance (usually after they call to complain that the internet has died).
From: Paul Russell <prussell () nd edu> To: unisog () sans org Subject: [unisog] Spam from student-owned computers Date: Mon, 06 Oct 2003 15:51:12 -0500 Checking all of the programs that were automatically started at boot, it appeared as though the student had a lot of optional things running in the background, including winsrvn.exe. He believed that this particular program was installed as part of Purity Scanner, which, apparently, scans one's hard drive for inappropriate materials. It turns out that Purity is actually adware, and is often bundled with Grokster (P2P program). Further, it looked as though the student was using Grokster. From what I've been able to find with a web search, Grokster sometimes includes ancilary software that may contain back doors. I had the student email me a zip of the winsrvn.exe for later examination. The other mysterious process (system:4) seemed to disappear after I removed winservn.exe (perhaps the two were related?). /* end post fragment */ HTH..
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: strange windows behaviour., (continued)
- Re: strange windows behaviour. Derek (Oct 08)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- Re: strange windows behaviour. Jeff Kell (Oct 09)
- Re: strange windows behaviour. J Mike Rollins (Oct 09)
- Re: strange windows behaviour. Tobias Rice (Oct 10)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. Harlan Carvey (Oct 09)
- Administrivia: strange windows behaviour. Dan Hanson (Oct 09)
- RE: strange windows behaviour. Chris Brenton (Oct 09)
- RE: strange windows behaviour. Pepijn Vissers (Oct 09)
- Re: strange windows behaviour. Karl Levinson (Oct 09)
- Re: strange windows behaviour. Harlan Carvey (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 09)
- RE: strange windows behaviour. J Mike Rollins (Oct 09)
- RE: strange windows behaviour. Harley David (Oct 10)
- RE: strange windows behaviour. Harley David (Oct 10)
- RE: strange windows behaviour. Schmehl, Paul L (Oct 10)
- Re: strange windows behaviour. Derek (Oct 14)