September 6th, 2002, 10:24 AM
Last night I was going to play some online game that uses a browser and java. Dunno why, I was curious to know which port it was using and if the connection was continuus or just to send the scores.
I started jammer 2.0, a nice firewall and analyzer I bought a few months ago. I hadn't started for a long time because I know have a little zyxel as a rounter and basic FW.
As soon as it started it asked me if taskmngr.exe was allowed to access internet... notice that it had the mirc icon. I said "allow once", but then got suspicious. I looked at my sidebar and noticed that the Taskmanger was NOT running. I opened it and noticed that the taskmanager is "taskmgr.exe".
I closed the other one and started searching on the internet. It turned out it's a trojan, it was going on IRC and maybe runnig DoS attacks!
I found a list of file and cleaned everything.
This is a good URL with some thoughts of other people:
I just read MS already released a public advisory.
The client was probably connecting to f0.ods.org (I found it in the ini files) and I think it was using port 6669 (jammer told me). Port 6669 was closed last night, when I checked, or at least unreachable. I got on port 6667 and joined a channel that was named in the ini files, but I couldn't find anyone.
Oh, BTW, I checked my firewall and noticed that I had set it to let anyone to reach my PC!!! How stupid!
September 6th, 2002, 01:51 PM
Man, I got two words for you concerning security: BE PARANOID.
If you don't know what it is and why it's connecting to the inter-
net, don't allow it. First find out what it is(google, etc.) and why
it's accessing the net.
Also: always use firewall, do frequent virus checks and check
September 6th, 2002, 08:39 PM
Sounds like that would not be a good thing to occur. You very well may have been hacked or Trojaned. Task Manager should not request a socket. It is used to schedule a program or task to run, and the program that is scheduled to run should be shown as initiating that connection.
99.9999% of the time if you are not 100% sure what the program is doing, Block it!!!! If you notice a loss of functionality after that point then investigate further... But nothing is wrong with "Controlled Paranoia"
September 6th, 2002, 08:54 PM
Something to keep in mind, one of the more common features of trojans is the ability for them to logon to IRC, and send a message to a channel announcing that it has successfully taken over the computer it is on and then the hacker can go in at their leisure and do whatever they want to do...
Assuming you have fully cleaned your computer (and I would look very very hard at every file), make sure you have
1) fully patched everything on your computer (windowsupdate is your friend)
2) obtained a good AV package with very recent antivirus (scan again)
3) boot up without outside network connectivity and then monitor your computer for attempts to access anything on the internet
if you see anything happen on part 3, take a harder look at antiviral software and consider finding a trojan removal program (look through archives, I have seen many suggestive threads)...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
September 6th, 2002, 09:05 PM
Not to be annoying or anything...may I recommend that if you suspect a trojan or unathorized internet access try a netstat -an see what is going on and who is holding the ports open. Research those ports on google or whatever is convient.
Also not just an AV should be investigated but maybe a desktop firewall or hardening of your box. Block any port or service that is not needed. You can also tell in netstat what sockets are open and to whom they are opened to. If you investigate the DNS records of those connections through PTR RR or somthing it should give you an idea of who or what is talkng to your box.
September 6th, 2002, 09:29 PM
I found another tool that will list the applications in use with what protocols and ports. It's pretty nifty. It's called fport and you can find it here .
September 6th, 2002, 09:45 PM
carbonlifeform, I think that is the worst thing that I have ever heard. Where would we be today if everything we just threw away everything that we had no clue about? Hrmm, I couldn't count the numerous amounts of files I have opened and explored without being paranoid.. I think I have had to format 1 time in the 15 years of computing due to a virus/trojan, and it happened to be the monkey virus, a very annoying bugger.. :> Well, my suggestion, don't be paranoid, I say open it, if you get it, find out how to get rid of it. That sometimes is the best part.
September 6th, 2002, 09:52 PM
I suggest if your randomly going to open files...Due it on a test machine for which you have imaged so that if you get stuck you can reimage it. Also, make sure it is on a service network so that you can monitor it with an IDA or something else ....Also keep your testing off of your backbone!!!!
If you don't then get the tattoo on your forehead...Don't be that guy who experiments with 12 live viruses in his network....
Controlled Paranoia.....administer this!! Lol
That was my attempt at Humor... no offense intended
A slice of \"Controlled Paranoia\" is worth it\'s weight in prevention......Of course Stupidity and Faith is just fun!!!
September 6th, 2002, 11:14 PM
Ok, There is an exploit in Windows where it searches for the program in the PATH, and in 90% of all systems its configured to look through C:\%SystemRoot% and then C:\%SystemRoot%/system32, So if there is a trojan-ed copy of taskmgr.exe in your C:\Windows or C:\WinNT folder that is the copy with the trojan....... The system32 copy is probably genuine, But run a scan on it anyway..
I found a very similar virus to the one you are talking about and this one does not cary a damaging payload either here
Try the following virus scanners (they allow you to submit a single file online for scanning, I suggest you submit taskmgr.exe and any other copies of it)
September 7th, 2002, 12:13 AM
Shads, I understand your sense of adventure but you are a network admins nightmare. It's all fine and dandy to play with suspicious files on a standalone machine where there is no data being risked but if I found out an enduser was randomly opening files on a network I supported I'd have a fit and I would stop them by whatever means necessary.
Again, I understand wanting to understand viruses/trojans/worms etc I'm just advocating doing it sanely if nothing more but for the sake of the admins sanity.