There are literally an exhaustive number of different options you could try.
For simplicity sake, I will reference just a few.
1. You mentioned using netstat on Unix -- you can use the netstat command
in XP within a Dos session. Simply type "netstat -ano" -- the "o" option
will provide PID information. You could then open task manager and add the
PID column to make the connection between the information learned from
netstat and task manager.
2. Try using highjackthis -- it is a freeware program that can be
downloaded.
3. You also could install the free version of zone alarm and gather
incoming/outgoing traffic in the firewall logs.
------------------------------------------------
Roger Padilla, Jr.
Cal Poly
ITS/PS3
Network Analyst
Office: (805) 756-5294
Email: mailto:ropadill@calpoly.edu
------------------------------------------------
-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Rodrigo Ventura
Sent: Friday, December 10, 2004 10:51 AM
To: focus-virus@securityfocus.com
Subject: what is the best procedure to track down a potentially new
virus/worm/etc?
I have a couple of PCs (running XP) which I'm sure are infected with some
kind of malware. Common anti-virus such as OfficeScan and Symantec do not
detect them. They seem to be irc bots. They try to connect to IRC servers,
using a password, and receive from there instructions on what to do, namely
scan for LSASS vulnerabilities by scanning the entire IP subnet in random. I
sniffed the IRC servers IPs and passwords, and confirmed my suspicions,
after entering in those IRC servers (and being banned as soon as detected by
the admins). Moreover, they open backdoors, which accoriding to the kind of
responses to a telnet, seem spam relayers, or FTP servers (not sure which).
(My response to this threat was to block the IPs of the suspicious IRC
servers in the firewall. This calmed down the packet storms I've been
watching...)
My question is, what do you think is the best procedure to track down the
executables responsible for this behavior? After tracking them down, I could
submit the sample to several online scanners in order to determine which
specific malware is affecting the PCs.
It it were UNIX, I could use commands like socklist and netstat to track
down the malware processes. But in Windows XP, I don't know what to use. Are
there any built-in utilities? Some freeware stuff? All help is welcome.
And regarding the IRC server IPs, is it worthwhile to report them to the
authorities specified in the whois databases?
Cheers,
Rodrigo
--
*** Rodrigo Martins de Matos Ventura <yoda@isr.ist.utl.pt>
*** Web page: http://www.isr.ist.utl.pt/~yoda
*** Teaching Assistant and PhD Student at ISR:
*** Instituto de Sistemas e Robotica, Polo de Lisboa
*** Instituto Superior Tecnico, Lisboa, PORTUGAL
*** PGP fingerprint = 0119 AD13 9EEE 264A 3F10 31D3 89B3 C6C4 60C6 4585
