Re: Lots of traffic on port 1472 from explorer

[GuidoZ <uberguidoz () gmail com>]

Hello Giuseppe, at first glance it sounds like a keylogger, though it
could be anything. Are you able to locate that file on your system? If
so, try getting the properties of it and see what information is
available under the Version tab. Also, you can try opening it up in
Notepad to see what you can make of the API calls and such inside.

You should also try to locate where it's being started from. Check
through the Registry run keys and such - try to see what's linking it
and maybe Google that for some answers.

We know that file names can be deceiving, however some quick Google
hunting showed it might be this keylogger: http://www.keylogpro.com/
(Runs as klp32.exe by default. Name is easily changed.) See what other
information you can gather.

Might want to try killing the EXE and see if anything fails to work.
If you find it in a run key/startup location, disable or delete it
(make a backup to be safe) and see if something doesn't work.


On Tue, 21 Sep 2004 21:13:57 +0200, Giuseppe Milicia <milicia () brics dk> wrote:
> Hi guys,
>
> from a home computer I'm seeing lots of traffic generated from
> explorer on port 1472 towards the microsoft-ds port, typically
> on IP addresses starting with 35.xx.xx.xx
>
> It looks like a worm but I could not find any references around
> and Trend Micro detects nothing.
>
> Also there is some hidden process oakklp32.exe which is not shown
> by the taskmanager but is costantly active, again I could not
> find anything about it!
>
> Ideas? Clues?
>
> Thanks,
>
> --
> Giuseppe
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html



-- 
Peace. ~G

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html