March 6th, 2002, 06:03 PM
My hormonally driven teenage son opens an e-mail message with "Snow White..." in the subject line using outlook on a win98 box. Message has no visible attachment or message. At the time the message was opened I had installed all the windows updates and was running NAV with updated definitions. I am also running Sygate Personel Firewall.
Now for my question (other than which military school to ship said son off to), The fire wall shows kernel32.dll listening on 3 ports (137, 138 & 139). I don't recall seeing this. Is it normal?
NAV scan has not detected anything. I downloaded the EICAR test string and it detected that, but I am still unconvinced (read paranoid). I run F-prot from a cd and it also did not detect anything, but the firewall shows kernel32.dll trying to connect to the internet.
March 6th, 2002, 06:06 PM
Those are netbios ports. You need to disable netbios. Remove the Microsoft Network client.
Netbios name service=137
netbios Datagram service=138
Netbios Session Service=139
Hope that helps.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
March 6th, 2002, 06:26 PM
Ummm, the Snow White message is a virus. I would bet money that it was sent from firstname.lastname@example.org (if I remember correctly). It installs a back door trojan on your puter. If NAV isn't showing anything, you need to update your virus definations. If you don't want to pay for new definations, you can get AVG from www.grisoft.com for free. If for some reason that still doesn't work, go to www.tauscan.org and download the trojan cleaner program (can't remember the name).
\"Ignorance is bliss....
but only for your enemy\"
March 6th, 2002, 08:34 PM
Thanks for the info Korp, I'll check when I get home.
Soulman...I know about the snowwhite virus, that's why number one son is hanging from the yard arm by his hormones. What puzzles me is that norton (with current definitions) nor F-prot (again with current defs) does not detect anything. Makes my paranoid meter go tilt. According to the Sygate traffic log, kernel32.dll never tried to access until 3/01, the same day that e-mail was opened.
March 6th, 2002, 08:58 PM
If an up to date Norton isn't detecting anything than chances are the trojan didn't install. try a free online virus/trojan scanner here....Also, The Cleaner is a good little trojan removal tool. You can get it here....It's shareware and only lasts 30 days but that should be more than enough time to remove that evil temptress, SnoWhite....