script.exe ??
Results 1 to 9 of 9

Thread: script.exe ??

  1. #1
    Member
    Join Date
    Oct 2001
    Posts
    31

    script.exe ??

    everytime i start windows something called script.exe is running in the background, i have seen it try to connect to 2 different ip addys and have blocked it.

    the 2 addys are 202.99.166.61:6667 (which turned out to be a japanese/korean website)
    and the other 194.168.4.100NS

    i done a neotrace on the 2nd one and this time the ip terminated in the UK and give me the following info :
    NeoTrace Trace Version 3.25 Results
    Target: 194.168.4.100
    Date: 9/5/02 (Thursday), 10:30:58 AM
    Nodes: 11


    Node Data
    Node Net Reg IP Address Location Node Name
    1 - - 213.106.205.235 St. Helens m7y1i8
    2 1 - 10.51.48.1 Unknown
    3 1 - 10.0.123.162 Unknown
    4 1 - 10.0.123.12 Unknown
    5 1 - 10.0.186.27 Unknown
    6 2 1 213.105.172.117 Unknown man-bb-b-so-130-0.inet.ntl.com
    7 2 - 62.253.185.138 Unknown
    8 2 1 213.105.172.130 Guildford gfd-bb-b-so-500-0.inet.ntl.com
    9 2 1 213.105.172.197 Guildford gfd-bb-a-ge-020-0.inet.ntl.com
    10 2 1 213.105.172.153 Guildford gfd-dc-c-v300.inet.ntl.com
    11 3 2 194.168.4.100 Southwark cache1.ntli.net


    Packet Data
    Node High Low Avg Tot Lost
    1 0 0 0 1 0
    2 16 16 16 1 0
    3 13 13 13 1 0
    4 33 33 33 1 0
    5 15 15 15 1 0
    6 15 15 15 1 0
    7 27 27 27 1 0
    8 21 21 21 1 0
    9 20 20 20 1 0
    10 19 19 19 1 0
    11 36 36 36 1 0


    Network Data
    Network id#: 1

    OrgName: IANA
    OrgID: IANA-2

    Network id#: 2
    NTL Internet
    Crawley Court
    Winchester
    Hampshire
    SO21 2QA

    Network id#: 3
    NTL Internet
    Crawley Court
    Winchester
    Hampshire
    SO21 2QA



    Registrant Data
    Registrant id#: 1
    Registrant:
    Cable Online (NTL5-DOM)
    NTL House Dunleavy drive
    cardiff, uk cf11 0ww
    GB

    Registrant id#: 2
    Registrant:
    Cable Online (NTLI3-DOM)
    Online House Cleppa Park
    Newport, NP1 9UG
    UK

    _____
    NeoTrace Copyright 1997-2001 NeoWorx Inc

    i cant make much out from this stuff but why would it be trying to connect to my pc through script.exe?
    any help or ideas on whats happening would be very appreciated as since ive found this running i've also had my pc infected with the funlove virus which is proving pretty hard to get rid of and i've also had my 6 digit icq number stolen ( i think), i'm gonna do a fdisk & format my hd but i'd like to find out as much as possible about this before i do so i can maybe get my icq number back...

    thanks a lot.

    ivan.

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    Run netstat and see what you have for established connections, then post the results. thanks.
    Avenger
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Not only should you provide the results of a netstat -an, but you should also do the following:

    1) get FPort . Run it and see what other ports they program is listening too...

    2) mention what OS you have and whether or not you use PPP, dialup, SLIP, or any of them at all. A quick run through google indicated that win 95 dialup used script.exe to establish connections (dialup scripting tool).

    3) Give the full pathname of the file being run.
    This url indicates that there is a virus named script.exe that installs in the fonts folder and tries to connect to websites (sounds similar to this):



    Get that information back to us (I would recommend sanitizing it to remove your IP (just use something like aaa.bbb.ccc.ddd in its place to protect the innocent)) and I would be glad to help you more...

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Member
    Join Date
    Oct 2001
    Posts
    31
    thanks for the replys, here are my netstat details :

    TCP xxxx:3487 213.205.224.202:27374 SYN_SENT
    TCP xxxx:3743 213.205.225.204:27374 SYN_SENT
    TCP xxxx:3488 213.205.224.203:27374 SYN_SENT
    TCP xxxx:3744 213.205.225.205:27374 SYN_SENT
    TCP xxxx:3489 213.205.224.204:27374 SYN_SENT
    TCP xxxx:3745 213.205.225.206:27374 SYN_SENT
    TCP xxxx:3490 213.205.224.205:27374 SYN_SENT
    TCP xxxx:3746 213.205.225.207:27374 SYN_SENT
    TCP xxxx:3491 213.205.224.206:27374 SYN_SENT
    TCP xxxx:3747 213.205.225.208:27374 SYN_SENT
    TCP xxxx:3492 213.205.224.207:27374 SYN_SENT
    TCP xxxx:3748 213.205.225.209:27374 SYN_SENT
    TCP xxxx:3493 213.205.224.208:27374 SYN_SENT
    TCP xxxx:3749 213.205.225.210:27374 SYN_SENT
    TCP xxxx:3494 213.205.224.209:27374 SYN_SENT
    TCP xxxx:3750 213.205.225.211:27374 SYN_SENT
    TCP xxxx:3751 213.205.225.212:27374 SYN_SENT
    TCP xxxx:3752 213.205.225.213:27374 SYN_SENT
    TCP xxxx:3753 213.205.225.214:27374 SYN_SENT
    TCP MY ADDY:3754 213.205.225.215:27374 SYN_SENT
    TCP xxxx:3755 213.205.225.216:27374 SYN_SENT
    TCP xxxx:1761 202.99.166.61:6667 ESTABLISHED
    UDP 127.0.0.1:3205 *:*
    C:\WINDOWS>netstat -an

    Active Connections

    Proto Local Address Foreign Address State
    TCP 0.0.0.0:1764 0.0.0.0:0 LISTENING
    TCP 127.0.0.1:3205 0.0.0.0:0 LISTENING
    TCP xxxxMY IP ADDY:1764 202.99.166.61:6667 ESTABLISHED
    UDP 127.0.0.1:3205 *:*


    when i first done the netstat command it went a bit mad and scrolled quicly down the screen as if there was lots of connections, then i run it again and got fewer results as you can see, i have noticed the address of the japanese/korean website seems to be connecting to my comuter for some reason..( i have changed my ip to xxxx as advised)

    i done a search for script.exe on my pc and the file seems to live in c:windows and is 101KB

    i have downloaded Fport-2.0 from the link but it seems to be missing a PSAPI.DLL file and wont run on my pc.

    i'm using win98SE and have got a cable connection.

    cheers again. ivan.

  5. #5
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Ok, still need what the full pathname/filename of script.exe...

    However, bad news:
    27374 is the sub-seven port...

    http://www.commodon.com/threat/threat-sub7.htm
    http://www.iss.net/security_center/a...en/default.htm


    I would suspect you are probably trojaned. The first URL will help you remove it.

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  6. #6
    Member
    Join Date
    Oct 2001
    Posts
    31
    ok thanks neb, when u say the full path name, i presumed you was after the location of the file, from the search i presumed in was in the root folder of c:windows, i tried to get into that folder but am unable to as several things on my computer are now not working properly..


    can u explain why the ip of the pc's connected to me via 27374 goes up 1 digit each line in the last octect..

  7. #7
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Probably because they are using the trojan to do scans from your computer (this is mentioned in one of the two url's I gave you). From subseven you can launch DoS attacks and scans, etc and that is what you are seeing....

    pathname means the path or directory that the file is located...for example,

    c:\windows\system32\notepad.exe, the filename would be notepad.exe, the full pathname would be c:\windows\system32

    Alot of times, trojans will be named something that is normally on the OS, but the trojan will be installed in a different location (not always, but sometimes), and that is why I was asking about it (and about the OS to try to determine if you would legitmately have script.exe on your pc)...

    Either way, I would say you almost certainly have subseven installed. I think I saw that you said y ou were gonna format and start over, if that is the case, I would go ahead and do it. I would also recommend that once you do get your OS installed, that one of the first things you do is to install a personal firewall (for example zone alarm or agnitum outpost or tiny) and a modern antivirus with current signatures. Those would go a long way towards keeping this from happening again...


    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  8. #8
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    Ummm, yeah, that looks like sub7, but I think you got your explination backwords nebulus

    The 2 ip's that it is sending messages to are the clients that the sub7 server on your computer is trying to connect to. The 213.205.225.x:27374 connections are probably your computer scanning for other sub7 servers. Here is probably what happenend:

    you dl'd/opened a sub7 trojan that installed itself as script.exe
    when you connect, the trojan "phones home" for instructions (the 2 address that always show up)
    one of those address is giving your trojan the command to scan for other trojans. (it probably gives this command to multiple servers and each one scans a seperate IP block)
    your computer will eventually "phone home" with the results and get new instructions.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Hmmm...rushed the explanation a little bit...

    What I was getting at that is part of the functionality of subseven is that it can scan for other infected/trojaned machines and then report back the results (which is what I was aluding to when I mentioned it could do scans). What I didn't elaborate on is that the connections were going out to 27374 from his computer and were probably the result of his computer being used to do further scanning...And as soulman has correctly stated, the two addresses that you are seeing pop up frequently are probably the culprits on who is controlling your computer....

    More reading on subseven...(and there are tons of links in those articles)
    http://www.f-secure.com/v-descs/subseven.shtml
    [url]http://www.iss.net/security_center/static/6550.php[url]

    Sorry, should have elaborated a little more...

    Thanks for the correction.

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •