Wireshark-users: Re: [Wireshark-users] WindowsXP Broadcast question * Resolved *
From: Tim Takata <tim.takata@xxxxxxxxx>
Date: Wed, 10 Feb 2010 16:07:03 -0800
Some closure on this: I found the culprit. File Name: nettray.exe File Path: C:\Documents and Settings\%infected-username%\Application Data\ File Size: 30 KB (30,720) File Attributes: Read-only, Hidden ------------------ Conclusion: After further review it looks like it broadcasts 3 NBNS to CN.KIND.CD every 5 seconds give or take. I found several hits on google for Trojan/Backdoor relation to the file. Thanks to everyone who responded. Tim. On Sun, Feb 7, 2010 at 7:11 AM, Stuart Kendrick <skendric@xxxxxxxxx> wrote: > No, I haven't. Windows boxes broadcast NBNS look-ups and announcements for > a range of reasons, and chatter in this fashion with a loquacity I find > astonishing. But I haven't seen a single station broadcast with that > frequency (every few seconds) nor look-up the NetBIOS name 'CN.KING.CD'. > > If I had to guess, I would make the same guess you are making. Sounds like > you have a bunch of boxes infected with some flavor of malware, (though I > don't know why that malware is performing CN.KING.CD look-ups every few > seconds, nor why it is using NBNS rather than DNS). > > Brain-storming here: you could gather a list of the infected IP addresses > using Wireshark, then perform NBNS look-ups on those addresses: > > C:\temp>nbtstat -A 10.11.88.152 > > Hutch: > Node IpAddress: [10.11.88.152] Scope Id: [] > > NetBIOS Remote Machine Name Table > > Name Type Status > --------------------------------------------- > SALLY <00> UNIQUE Registered > FHCRC <00> GROUP Registered > SALLY <20> UNIQUE Registered > FHCRC <1E> GROUP Registered > > MAC Address = 00-1A-A0-AF-A5-A9 > > > C:\temp> > > That gets you the NetBIOS name ('Sally') of the infected machine. With a > little local knowledge, perhaps you can track a NetBIOS name down to a > physical location. > > hth, > > --sk > > >> >> Hi, I'm new to the list and thought I'd give this question a try. >> >> >> Has anyone seen a NBNS Broadcast where all the nodes on a link/ subnet are >> sending NBNS broadcasts with the following listed in Wireshark's >> "Info" column: "Name query NB CN.KING.CD<00>" >
- Prev by Date: Re: [Wireshark-users] Capture from two NIC at the same time
- Next by Date: Re: [Wireshark-users] extracting IP SDU
- Previous by thread: Re: [Wireshark-users] Dumpcap instead of Winpcap?
- Next by thread: [Wireshark-users] Segmentation problem
- Index(es):
- Get Wireshark
- Download
- Code of Conduct