zmaugy
join:2003-05-24
Slovenia
| reply to Martinus
Re: A super trojan?
I'm no computer expert, but the thing is that also my computer is calling that IP 239.255.255.250:1900.
I've formatted the HD, checked the system with NAV2004, KAV4.5, TDS3, Spybot, Adavare... and there is nothing suspicious. At that time I thought I'm perhaps paranoid, after this "news" I'm not so sure anymore...
One thing I have noticed just today: on ZAPro Alerts and logs Winword.exe tried to connect, and there is nothing written as Action taken. Weird!
--
French fries. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| zmaugy  , »Security »I think my computer is infected or hijacked. What should I do?
How did you determine that your system is calling that IP? Zone Alarm? Netstat? I suggest following the steps above and post a Hijack This log.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
zmaugy
join:2003-05-24
Slovenia
1 edit | Zone alarm. And my IE is not hijacked and the system is always patched, AV (NAV2004) is always updated, from time to time the system is checked with KAV 4.5 on demand, system is Spybot1.3 immunized and checked, running from behind a router with stateful packet inspection, also ZaPRO is installed and running - every application has to ask to connect (except IE6, OE6, NAV2004, ZaPRO). The only pages I'm surfing with the machine is my ISP's webmail, no other than business software is running.
How the hell could I be infected? And my ISP checks email for viruses...
--
French fries. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Did Zone Alarm say what application was hitting that IP?
As mentioned here: »www.geocities.com/technofundo/te···fip.html
quote:
Class D - This is a class meant for multicasting only, for sending multicast messages to other groups of host machines.
First Octet - - The first octet is between 224 to 239. (Starts with binary bits - 1110).
The class D is a special purpose reserved class, and addresses in this range are not assigned as IP addresses on an IP network, including Internet.
In other words, 239.255.255.250 isn't even a routable address on the Internet.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
zmaugy
join:2003-05-24
Slovenia
| said by kpatz :
Did Zone Alarm say what application was hitting that IP?
Generic host process for win32 services. And it's logged only when automatic lock on ZA is turned on.
--
French fries. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| said by zmaugy :
Generic host process for win32 services. And it's logged only when automatic lock on ZA is turned on.
Bingo... when ZA is locked, it blocks all traffic. Windows uses TCP/IP internally for certain interprocess communication (this traffic never goes out over the network), but Zone Alarm sees it, and blocks it when it's locked. Windows is likely using the 239. IP range for this purpose.
I've seen instances, where when I was having network issues, and didn't have a valid IP, that certain Windows services would cause Zone Alarm prompts (the Spooler Subsystem is prone to doing this). I'm at work now so I can't see what IP it was trying to use though, but I wouldn't be surprised if it was a 239.* IP.
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: 
| reply to zmaugy
said by zmaugy :
I'm no computer expert, but the thing is that also my computer is calling that IP 239.255.255.250:1900.
being that's a broadcast i wonder what really is going on with that.... |
|
zmaugy
join:2003-05-24
Slovenia | reply to kpatz
Thanks, I know my question was off topic:), anyway I'm going to go step by step through the procedure just in case.
--
French fries. |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to zmaugy
said by zmaugy :
I'm no computer expert, but the thing is that also my computer is calling that IP 239.255.255.250:1900
Not weird at all, 239.255.255.250 is uPNP and is normal, unless you turn it off and turn off the SSDP discovery service and that still might not stop it if the Windows Messenger service is using the SSDP discovery process.
»support.microsoft.com/default.as···;q317843
»grc.com/unpnp/unpnp.htm
»www.updatexp.com/upnp_security.html
»www.winguides.com/registry/display.php/1235/
said by kpatz :
The "ramdisk" BIOS is a misnomer, and the CMOS is too small to contain any useful executable code. Most anything that overwrites a flash BIOS would render the machine unbootable, unless they created trojan code that is customized for every motherboard/BIOS combination out there (a daunting task to say the least). Even if it could be done, I doubt there'd be enough free space in the BIOS EEPROM to embed a boot image and "ISOs" as they so elegantly put it.
I think it's either a hoax, or someone who did get a trojan and is blowing the details way out of proportion. For example, if he reformatted and got infected again, perhaps it came in through a vulnerable service (hint, use a firewall).
Makes sense to me.
--
Dog and Butterfly |
|
j823777
@bulldogdsl.com | reply to zmaugy
239.255.255.250 port 1900 is the Simple Service Discovery Protocol (SSDP) using multicast to locate a gateway. Perfectly normal, nothing to worry about. |
|
