-
September 5th, 2002, 10:53 AM
#1
Member
script.exe ??
everytime i start windows something called script.exe is running in the background, i have seen it try to connect to 2 different ip addys and have blocked it.
the 2 addys are 202.99.166.61:6667 (which turned out to be a japanese/korean website)
and the other 194.168.4.100NS
i done a neotrace on the 2nd one and this time the ip terminated in the UK and give me the following info :
NeoTrace Trace Version 3.25 Results
Target: 194.168.4.100
Date: 9/5/02 (Thursday), 10:30:58 AM
Nodes: 11
Node Data
Node Net Reg IP Address Location Node Name
1 - - 213.106.205.235 St. Helens m7y1i8
2 1 - 10.51.48.1 Unknown
3 1 - 10.0.123.162 Unknown
4 1 - 10.0.123.12 Unknown
5 1 - 10.0.186.27 Unknown
6 2 1 213.105.172.117 Unknown man-bb-b-so-130-0.inet.ntl.com
7 2 - 62.253.185.138 Unknown
8 2 1 213.105.172.130 Guildford gfd-bb-b-so-500-0.inet.ntl.com
9 2 1 213.105.172.197 Guildford gfd-bb-a-ge-020-0.inet.ntl.com
10 2 1 213.105.172.153 Guildford gfd-dc-c-v300.inet.ntl.com
11 3 2 194.168.4.100 Southwark cache1.ntli.net
Packet Data
Node High Low Avg Tot Lost
1 0 0 0 1 0
2 16 16 16 1 0
3 13 13 13 1 0
4 33 33 33 1 0
5 15 15 15 1 0
6 15 15 15 1 0
7 27 27 27 1 0
8 21 21 21 1 0
9 20 20 20 1 0
10 19 19 19 1 0
11 36 36 36 1 0
Network Data
Network id#: 1
OrgName: IANA
OrgID: IANA-2
Network id#: 2
NTL Internet
Crawley Court
Winchester
Hampshire
SO21 2QA
Network id#: 3
NTL Internet
Crawley Court
Winchester
Hampshire
SO21 2QA
Registrant Data
Registrant id#: 1
Registrant:
Cable Online (NTL5-DOM)
NTL House Dunleavy drive
cardiff, uk cf11 0ww
GB
Registrant id#: 2
Registrant:
Cable Online (NTLI3-DOM)
Online House Cleppa Park
Newport, NP1 9UG
UK
_____
NeoTrace Copyright ©1997-2001 NeoWorx Inc
i cant make much out from this stuff but why would it be trying to connect to my pc through script.exe?
any help or ideas on whats happening would be very appreciated as since ive found this running i've also had my pc infected with the funlove virus which is proving pretty hard to get rid of and i've also had my 6 digit icq number stolen ( i think), i'm gonna do a fdisk & format my hd but i'd like to find out as much as possible about this before i do so i can maybe get my icq number back...
thanks a lot.
ivan.
-
September 5th, 2002, 01:46 PM
#2
Run netstat and see what you have for established connections, then post the results. thanks.
Avenger
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
-
September 5th, 2002, 02:30 PM
#3
Not only should you provide the results of a netstat -an, but you should also do the following:
1) get FPort . Run it and see what other ports they program is listening too...
2) mention what OS you have and whether or not you use PPP, dialup, SLIP, or any of them at all. A quick run through google indicated that win 95 dialup used script.exe to establish connections (dialup scripting tool).
3) Give the full pathname of the file being run.
This url indicates that there is a virus named script.exe that installs in the fonts folder and tries to connect to websites (sounds similar to this):
Get that information back to us (I would recommend sanitizing it to remove your IP (just use something like aaa.bbb.ccc.ddd in its place to protect the innocent)) and I would be glad to help you more...
Neb
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
September 5th, 2002, 04:35 PM
#4
Member
thanks for the replys, here are my netstat details :
TCP xxxx:3487 213.205.224.202:27374 SYN_SENT
TCP xxxx:3743 213.205.225.204:27374 SYN_SENT
TCP xxxx:3488 213.205.224.203:27374 SYN_SENT
TCP xxxx:3744 213.205.225.205:27374 SYN_SENT
TCP xxxx:3489 213.205.224.204:27374 SYN_SENT
TCP xxxx:3745 213.205.225.206:27374 SYN_SENT
TCP xxxx:3490 213.205.224.205:27374 SYN_SENT
TCP xxxx:3746 213.205.225.207:27374 SYN_SENT
TCP xxxx:3491 213.205.224.206:27374 SYN_SENT
TCP xxxx:3747 213.205.225.208:27374 SYN_SENT
TCP xxxx:3492 213.205.224.207:27374 SYN_SENT
TCP xxxx:3748 213.205.225.209:27374 SYN_SENT
TCP xxxx:3493 213.205.224.208:27374 SYN_SENT
TCP xxxx:3749 213.205.225.210:27374 SYN_SENT
TCP xxxx:3494 213.205.224.209:27374 SYN_SENT
TCP xxxx:3750 213.205.225.211:27374 SYN_SENT
TCP xxxx:3751 213.205.225.212:27374 SYN_SENT
TCP xxxx:3752 213.205.225.213:27374 SYN_SENT
TCP xxxx:3753 213.205.225.214:27374 SYN_SENT
TCP MY ADDY:3754 213.205.225.215:27374 SYN_SENT
TCP xxxx:3755 213.205.225.216:27374 SYN_SENT
TCP xxxx:1761 202.99.166.61:6667 ESTABLISHED
UDP 127.0.0.1:3205 *:*
C:\WINDOWS>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:1764 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3205 0.0.0.0:0 LISTENING
TCP xxxxMY IP ADDY:1764 202.99.166.61:6667 ESTABLISHED
UDP 127.0.0.1:3205 *:*
when i first done the netstat command it went a bit mad and scrolled quicly down the screen as if there was lots of connections, then i run it again and got fewer results as you can see, i have noticed the address of the japanese/korean website seems to be connecting to my comuter for some reason..( i have changed my ip to xxxx as advised)
i done a search for script.exe on my pc and the file seems to live in c:windows and is 101KB
i have downloaded Fport-2.0 from the link but it seems to be missing a PSAPI.DLL file and wont run on my pc.
i'm using win98SE and have got a cable connection.
cheers again. ivan.
-
September 5th, 2002, 04:58 PM
#5
Ok, still need what the full pathname/filename of script.exe...
However, bad news:
27374 is the sub-seven port...
http://www.commodon.com/threat/threat-sub7.htm
http://www.iss.net/security_center/a...en/default.htm
I would suspect you are probably trojaned. The first URL will help you remove it.
Neb
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
September 5th, 2002, 05:13 PM
#6
Member
ok thanks neb, when u say the full path name, i presumed you was after the location of the file, from the search i presumed in was in the root folder of c:windows, i tried to get into that folder but am unable to as several things on my computer are now not working properly..
can u explain why the ip of the pc's connected to me via 27374 goes up 1 digit each line in the last octect..
-
September 5th, 2002, 06:19 PM
#7
Probably because they are using the trojan to do scans from your computer (this is mentioned in one of the two url's I gave you). From subseven you can launch DoS attacks and scans, etc and that is what you are seeing....
pathname means the path or directory that the file is located...for example,
c:\windows\system32\notepad.exe, the filename would be notepad.exe, the full pathname would be c:\windows\system32
Alot of times, trojans will be named something that is normally on the OS, but the trojan will be installed in a different location (not always, but sometimes), and that is why I was asking about it (and about the OS to try to determine if you would legitmately have script.exe on your pc)...
Either way, I would say you almost certainly have subseven installed. I think I saw that you said y ou were gonna format and start over, if that is the case, I would go ahead and do it. I would also recommend that once you do get your OS installed, that one of the first things you do is to install a personal firewall (for example zone alarm or agnitum outpost or tiny) and a modern antivirus with current signatures. Those would go a long way towards keeping this from happening again...
Neb
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
September 5th, 2002, 07:14 PM
#8
Ummm, yeah, that looks like sub7, but I think you got your explination backwords nebulus
The 2 ip's that it is sending messages to are the clients that the sub7 server on your computer is trying to connect to. The 213.205.225.x:27374 connections are probably your computer scanning for other sub7 servers. Here is probably what happenend:
you dl'd/opened a sub7 trojan that installed itself as script.exe
when you connect, the trojan "phones home" for instructions (the 2 address that always show up)
one of those address is giving your trojan the command to scan for other trojans. (it probably gives this command to multiple servers and each one scans a seperate IP block)
your computer will eventually "phone home" with the results and get new instructions.
\"Ignorance is bliss....
but only for your enemy\"
-- souleman
-
September 5th, 2002, 07:50 PM
#9
Hmmm...rushed the explanation a little bit...
What I was getting at that is part of the functionality of subseven is that it can scan for other infected/trojaned machines and then report back the results (which is what I was aluding to when I mentioned it could do scans). What I didn't elaborate on is that the connections were going out to 27374 from his computer and were probably the result of his computer being used to do further scanning...And as soulman has correctly stated, the two addresses that you are seeing pop up frequently are probably the culprits on who is controlling your computer....
More reading on subseven...(and there are tons of links in those articles)
http://www.f-secure.com/v-descs/subseven.shtml
[url]http://www.iss.net/security_center/static/6550.php[url]
Sorry, should have elaborated a little more...
Thanks for the correction.
Neb
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|