ssmypics.scr (Slideshow Screensaver) connecting online by itself?!

[SawPer]

I have Sygate's Personal Firewall installed, which I like a lot.
Today something really strange happened.
I always leave my computer with My Slideshow Screensaver on. Running WinXP Pro.
Twice today, Sygate warns about if I want to let my screensaver communicate with 2 different IP addresses (but same MAC address, pretty strange huh!?!)
I guess maybe something hijacked my screensaver, or anyone knows anything else that could be going on here?


Here are the two logs if anyone is interested:

1.

File Version : 5.1.2600.0 (XPClient.010817-1148)
File Description : My Pictures Slideshow Screensaver (ssmypics.scr)
File Path : D:\WINDOWS\system32\ssmypics.scr
Process ID : 0x310 (Heximal) 784 (Decimal)

Connection origin : local initiated
Protocol : ICMP
Local Address : 24.xx.xx.xx
ICMP Type : 11 (Time Exceeded for Datagram)
ICMP Code : 1 (Fragment Reassembly Timer Expired - from host)
Remote Name :
Remote Address : 213.102.217.187

Ethernet packet details:
Ethernet II (Packet Length: 84)
Destination: 00-03-fe-e6-00-54
Source: 00-xx-xx-xx-xx-xx
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x1 (ICMP - Internet Control Message Protocol)
Header checksum: 0xcf58 (Correct)
Source: 24.xx.xx.xx
Destination: 213.102.217.187
Internet Control Message Protocol
Type: 11 (Time Exceeded for Datagram)
Code: 1 (Fragment Reassembly Timer Expired - from host)
Data (32 bytes)

Binary dump of the packet:
0000: 00 03 FE E6 00 54 00 10 : DC D7 BE 0C 08 00 45 00 | .....T........E.
0010: 00 38 97 59 00 00 80 01 : 58 CF 18 D9 82 A1 D5 66 | .8.Y....X......f
0020: D9 BB 0B 01 C7 AC 00 00 : 00 00 45 00 05 AC 7F 40 | ..........E....@
0030: 20 00 6D 06 5E 6F D5 66 : D9 BB 18 D9 82 A1 06 96 | .m.^o.f........
0040: 12 36 75 79 9F 0C 8B 8A : A0 5A 0F 80 2E 87 02 D8 | .6uy.....Z......
0050: 3F F5 0F 85 : | ?...


2.

File Version : 5.1.2600.0 (XPClient.010817-1148)
File Description : My Pictures Slideshow Screensaver (ssmypics.scr)
File Path : D:\WINDOWS\system32\ssmypics.scr
Process ID : 0x310 (Heximal) 784 (Decimal)

Connection origin : local initiated
Protocol : ICMP
Local Address : 24.xx.xx.xx
ICMP Type : 11 (Time Exceeded for Datagram)
ICMP Code : 1 (Fragment Reassembly Timer Expired - from host)
Remote Name :
Remote Address : 80.170.66.47

Ethernet packet details:
Ethernet II (Packet Length: 84)
Destination: 00-03-fe-e6-00-54
Source: 00-xx-xx-xx-xx-xx
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x1 (ICMP - Internet Control Message Protocol)
Header checksum: 0x64bb (Correct)
Source: 24.xx.xx.xx
Destination: 80.170.66.47
Internet Control Message Protocol
Type: 11 (Time Exceeded for Datagram)
Code: 1 (Fragment Reassembly Timer Expired - from host)
Data (32 bytes)

Binary dump of the packet:
0000: 00 03 FE E6 00 54 00 10 : DC D7 BE 0C 08 00 45 00 | .....T........E.
0010: 00 38 51 0D 00 00 80 01 : BB 64 18 D9 82 A1 50 AA | .8Q......d....P.
0020: 42 2F 0B 01 01 7C 00 00 : 00 00 45 00 05 AC 56 1E | B/...|....E...V.
0030: 20 00 6D 06 A3 DA 50 AA : 42 2F 18 D9 82 A1 10 29 | .m...P.B/.....)
0040: 12 36 8C 6B 44 B8 1D C4 : 04 F9 1F C4 04 3F E5 73 | .6.kD........?.s
0050: 0C A5 A8 0C : | ....

[SDK]

Screensaver are a casual way for virus, ad-ware, spyware and more ugly stuff!!

[MrLinus]

Interesting. I'd do a netstat -aq (I think it's q on Windows -- identifies process with the network connection) and see if there are any connections. The first remote address goes to Sweden and the 2nd goes to France. I would have thought at first it goes to Microsoft but apparently there is something more going on here.

Screensaver are a casual way for virus, ad-ware, spyware and more ugly stuff!!

Yes but this is the built-in Microsoft screensaver that rotates pictures in your MyPictures directory. I think I'm going to have to fire up windump at work and see what things are going on there.

[SawPer]

Yeah, Sygate P.F. does have a "netstat" feature as well, but couldn't see anything else going on at the same time, and since I denied the communication I guess/hope I stopped what ever was trying to start.
My first thought was also that it was something tricky going on from MS, but obviously not. I just came to think about how the screen saver is set. It is pretty much set to show any pictures on the whole C: drive, which probably could include some pictures I don't really care to show, like browser history and stuff...

Could a "bad" (infected) picture cause things like this???

Thanks for your thoughts!

[MrLinus]

Certainly. The "rumored" (I haven't personally seen this) jpeg virus(es) that exist might be the cause. Personally, I'd be "stringing" the pictures and looking for anything out of the ordinary. I'd also have a sniffer online trying to see if there are other activities. And, I know Sygate has one but I do it seperately in the cmd as well as a precaution (layers of security.. use more than one method because sometimes tools only present their view, which may not be a complete and/or accurate picture).

[jinxy]

Hi all.

MsM, it's not netstat -aq with windows. Attached is a screen shot showing Cmd and the available netstat commands.


Jinxy

[MrLinus]

Oops. .it was netstat -ao. (I missed it by a letter)

[mark_boyle2002]

I would assume that the screensaver you are using is some sort of freeware, or shareware.

Its probably just trying to communicate with its creators server.

[MrLinus]

I would assume that the screensaver you are using is some sort of freeware, or shareware.

Actually, mark, this is Microsoft's built-in product, the "My Screen Saver Slide Show" (or something like that).

[steve.milner]

I don't know much about slideshow, but IIRC it will use HTML pages for its slide show.

Perhaps the HTML is what's making the connections

Just my 2c

Steve