Re: strange windows behaviour.

[Harlan Carvey <keydet89 () yahoo com>]

> You've gotten some good advice already.  FWIW, I
> would not first suspect adware in either of the
> cases below. 

I would agree.  Too many times, that seems to be a
stock answer, particularly from someone who deals with
it all the time.  I see it a lot, but I prefer to try
and narrow down the usual suspects before resorting to
running the adware/spyware removal tools.

> Regarding the university report, the fact that
> winservn.exe does not show up in a Google.com search
> plus the fact that it is listening for inbound
> connections does not make me think adware.  

I wouldn't be too concerned about Google, though that
is a valid point.  The fact that it's listening for
connections should take priority, in my thinking.
 
> In both incidents, I would want to save and submit
> the responsible file to the anti-virus vendor for
> inspection.

Good call, though some of the work can be done by the
person who actually has a copy of that file.  Tools
like strings.exe and Dependency Walker can give a
really good view of that the file may be doing.  Also,
using a tool to get the file version information may
also be enlightening.
 
> Regarding the original poster's incident, knowing
> the ports and remote IP addresses involved would be
> helpful.  If you haven't already, running one of the
> previously mentioned port inspecting tools such as
> Fport from Foundstone.com/knowledge that actually
> tells you what executable is generating the traffic
> should be done.  

Just a quick comment here...I recommend using fport,
but as with any tool, one needs to understand the
strengths and weaknesses of the tools used.  Fport
requires an admin account to work, whereas
openports.exe from DiamondCS doesn't.  Also, I know
that inzider is bandied about quite a bit by SANS but
before you use it, take a moment to read the author's
web site on the tool (just b/c SANS recommends it
doesn't make it a particularly good tool to use).  

> Inspecting firewall and IDS logs
> for traffic from the affected machines or ports
> and/or running a sniffer such as Ethereal, Windump
> or Snort could be useful.  

True.  I would recommend Ethereal, as it can do stream
reassembly...that way, you can look at an entire
"conversation" at once.  However, keep in mind that
WinDump and Snort can both capture in formats that can
be opened by Ethereal.

> [Windows Netstat utility
> doesn't give you that information unless you're
> running XP.] 

Netstat won't capture traffic on any Windows platform.
 Are you referring to the '-o' switch, which will list
the PIDs associated with the connections on the far
right-hand side of the output?





---------------------------------------------------------------------------
----------------------------------------------------------------------------