Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-users: RE: [Ethereal-users] ARP-Protokoll

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "BROWN, JAMES C" <JBROW91@xxxxxxxxxxx>
Date: Mon, 11 Oct 2004 17:25:00 -0500
Hi everyone!  Just an FYI on a new worm.

There is a new worm variant out there which is beginning to be picked up by
the press.  We got hit last week by one called spybot (but NOT related to
the program) which also uses port 445.  We were the first to call it into
NAV who very promptly published a fix.  I'm sure other AV vendors will also
follow suit.  In all our cases the "bot" was trying to scan addresses in the
149.8.x.x and 149.7.x.x ranges and also used port 445.

Regards
JCB

-----Original Message-----
From: Richard Urwin [mailto:richard@xxxxxxxxxxxxxxx] 
Sent: Monday, October 11, 2004 11:49 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] ARP-Protokoll

On Monday 11 Oct 2004 7:22 am, Richard Urwin wrote:
> On Sunday 10 Oct 2004 4:56 pm, Freenet-Old wrote:
> > Dear Sirs and Mesdames,
> >
> > I hope you could help me. Yesterday I installed etheral to oberseve
> > my Cable-Modem-Internet connection. Why? Since a cuple of weeks I
> > can see flashing lights on my modem - indicating network traffic -
> > but no program ist open nor the IE is running. My provider shows me
> > 1 GB of upload. Hmm. Etheral showed me, that when all known
> > web-applications on my PC are closed, 100 % of entwork traffic come
> > from using the ARP-Protokol, broadcasting somthing like "who is" or
> > "hihi..."? How can I identify the source of the traffic and how can
> > I stop it? It would be great to hear from you.
>
> Several well-known viruses do that. I suggest you update your
> anti-virus database and do a full scan.

There's a new virus out that the anti-virus packages only caught within 
the last few days, wootbot. They haven't got any details on it yet, so 
this is based on my experience:

It appears to do start off with very rapid ARP messages to random IP 
addresses within the local network (depending on the IP address class, 
not the netmask.) It then connects to any machines it finds on TCP port 
445.

To fix it open the Task Manager and end process msmsgs.exe, then remove 
msmsgs.exe from the system32 folder. To avoid re-infection get 
up-to-date with windowsupdate.com.

There may be other filenames, but this is the only variant that we 
caught at our office.

-- 
Richard Urwin

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube