Possible new virus/trojan
We have been seeing some strange behavior on one of our computers. We first noticed that the computer was trying to send out several thousand emails in a very shot period of time. Thanks to our firewall rules they were blocked. We tracked down the computer, someones home laptop running WinXP they brought in :rolleyes: without any antivirus on it :mad:. After scanning with up to date antivirus and trojan scanners and finding nothing, I started digging a little deeper and began finding some unusual things. First of all the computer was trying about every 3 seconds to contact Tiffany.fvngh.com with a source port of 3024 and a destination port of 53. BTW, this Tiffany server has an IRC server running on port 80 with well over a thousand clients connected to it... all in hidden rooms...??? Oh well, back to our computer. Port 3024 was bound to svchost.exe. SvcHost.exe was also bound to ports 123, 135, 1025, 1900, 2869, 3002, 3003, 3004, 3005, 3009 and 5000. The only two other processes that I could not account for was Wscript.exe (there was no scripts running that I could find) and SysWeb.exe.
Have any of you been seeing this behaviour? Any suggestions?