Wireshark-users: [Wireshark-users] WindowsXP Broadcast question

From: Tim Takata <tim.takata@xxxxxxxxx>
Date: Fri, 5 Feb 2010 21:32:02 -0800

Hi, I'm new to the list and thought I'd give this question a try.


Has anyone seen a NBNS Broadcast where all the nodes on a link/ subnet are
sending NBNS broadcasts with the following listed in Wireshark's
"Info" column: "Name query NB CN.KING.CD<00>"


All the nodes on the subnet (10.x.x.252 subnet) are sending this out
as a broadcast every 1 to 5 seconds (according to Wireshark's "Time"
column).

The reason for asking is that we know the network is infected with a
type of botnet/zombie type of malware and were concerned about the
traffic broadcast that seem excessive and we have been unable to id
the meaning of CN.KING.CD but have found google hits associating the
CN.KING.CD with a http herder, which *was* used to download a backdoor
program.


We are not the IT and the IT rep is making progress removing the
malware and considers the above Netbios broadcasts to be normal.


Insight or tools that we could use to trace the broadcast to an exact
process on WinXP? This is a bit of a unique environment and everything
we do/find is related and communicated with the IT rep.


Thanks in advance!