I visited a website, got a pop up and closed it. ■■■■, the screen went black and I thought oh ■■■■… Sure enough something got in, an HTML hack of some sort. Norton’s alerts me to it’s scanning an outgoing email. Wait… I’m not sending any email and suddenly emails start flying out of my PC.
So I cut the connection to my LAN. I have a quick launch shortcut to enable/disable the LAN connection. I’m smarter than the average user online, I’m a certified Windows Admin, resell webspace, do HTML/javascript and webdesign on the side and so on. Not too shabby at BASIC programming either.
My system, WinXP Pro SP2, 3 GB RAM, 256 MB video, etc etc etc… I’ve got Norton’s 2005 with definitions of 10/27/07 (less than a day old) and tried a full scan, even talked online to 3 so-called analysts with Symantec. They were useless. I have Ad-Aware 2007, latest defs. No joy there either. I scanned everything. They all say it’s clean as can be.
So how come I see this when I do netstat as soon as I see traffic on my LAN:
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1033 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1047 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 :
UDP 0.0.0.0:500 :
UDP 0.0.0.0:1025 :
UDP 0.0.0.0:1028 :
UDP 0.0.0.0:1038 :
UDP 0.0.0.0:3541 :
UDP 0.0.0.0:4500 :
UDP 127.0.0.1:123 :
UDP 127.0.0.1:1900 :
It gets better, wait a few moments and then I do another netstat as I watch Norton’s continue to scan more outgoing email that I didn’t authorize…
Active Connections
Proto Local Address Foreign Address State
TCP darpa-c5w6oazd1:3538 localhost:1047 TIME_WAIT
TCP darpa-c5w6oazd1:3543 localhost:1047 TIME_WAIT
TCP darpa-c5w6oazd1:3526 192.168.2.6:netbios-ssn TIME_WAIT
TCP darpa-c5w6oazd1:3527 74.208.13.39:https TIME_WAIT
TCP darpa-c5w6oazd1:3528 208.65.60.87:http TIME_WAIT
TCP darpa-c5w6oazd1:3529 208.66.69.238:https TIME_WAIT
TCP darpa-c5w6oazd1:3530 208.66.69.238:https TIME_WAIT
TCP darpa-c5w6oazd1:3533 208.65.60.87:http TIME_WAIT
TCP darpa-c5w6oazd1:3534 208.65.60.87:http TIME_WAIT
TCP darpa-c5w6oazd1:3540 74.208.13.39:https TIME_WAIT
TCP darpa-c5w6oazd1:3545 74.208.13.39:https TIME_WAIT
I do some WHOIS and tracert stuff and come up with some websites that basically have just placeholders for their pages. Hmmmm… dig this:
Active Connections
Proto Local Address Foreign Address State
TCP darpa-c5w6oazd1:3574 u15250010.onlinehome-server.com:https TIME_WAIT
TCP darpa-c5w6oazd1:3575 u15250010.onlinehome-server.com:https TIME_WAIT
208.66.69.238
Record Type: IP Address
OrgName: InterWeb Media
OrgID: INTER-280
Address: 2617 Lippe
City: Montreal
StateProv: QC
PostalCode: H4R-1L9
Country: CA
74.208.13.39
Record Type: IP Address
OrgName: 1&1 Internet Inc.
OrgID: 11INT
Address: 701 Lee Rd
Address: Suite 300
City: Chesterbrook
StateProv: PA
PostalCode: 19087
Country: US
So I find Comodo and install. I am successful at blocking a few ports, fully block the IP’s involved but guess what, the mail shifts to new IP’s and ports. All on the same IP ranges that these guys run…
What are the emails going out? SPAM for ■■■■■ enlargement, ■■■■■ sites, you name it. Nothing with my name on it, nothing showing it came from my PC… it’s all pre-formed with some funky return addresses. Dead-end spoofed stuff. And my PC is a zombie relay.
Comodo was able to do what NAV and AdAware couldn’t: name the parent causing the email:
C:\WINDOWS\Temp\1023640863.exe
So I go with glee, I am going to kill this evil file. Um, it’s not there. I searched. Nothing. Then the log shows another parent: 1104726938.exe in the same folder. Um, no it isn’t. No *.exe at all in that folder.
I’ve contact my ISP to inform them of the situation and they were fairly useless as well. I realize I may have to wipe the system and reinstall but that’s a last resort. I’ve got 3/4 of a terrabyte of drives here. Formatting is a nuclear meltdown type of solution.
Any ideas? It’s isn’t a known worm/trojan/virus/spyware or it’d been picked up by NAV/AdAware. It’s most likely an exploit of Windows and IE 6.0…
~ Thanks (:KWL)