Help with undetectable Worm?!

Discussion in 'Windows Desktop Systems' started by florencegale1820, Jul 19, 2006.

  1. florencegale1820

    florencegale1820 OSNN One Post Wonder

    Hey All,

    I am having what looks to be some kind of RPC worm problem that I
    cannot find the answer to.

    Yesterday i noticed a ton of firewall connections coming from 7
    different subnets inside my private network out to the Internet all
    going to port 135 on the following the address I did a
    whois lookup and this is a parked domain with I called
    them and they block traffic to 135 at their firewall so they were not
    concerned. I was telling what this thing is doing. I
    remote desktopped into one of the machines and ran netstat -ano
    |findstr ":135" and looked up the PID in the task manager and it was
    one of the svhost.exe processes making the the connection. To dig
    further, I installed Sysinternals Process Explorer and was able to see
    that the machine is making multiple connections from diff local ports
    (all to At this point I was thinking it was some
    kind of Blaster variant/Trojan/Spyware. However no know tool can find
    anything. I have tried the following:

    Symantec, Norton AV, AVG, Windows One Care, Windows Defender, HiJack
    this, TrendMicro online scanning, Symantec Blaster Removal, Windows
    Maliscious Software Removal Tool.

    None of these detected a thing. The system in question is running XP
    SP2 with all the latest updates and has Auto Update turned on. The
    process is starting up right after a user logs in and runs until
    logout. I installed Wireshark (open source sniffer) and ran some
    packet captures. Here are some of the things it is doing:

    Issuing 1 byte TCP Keep Alive requests from port 1911 to port 135 on
    Issuing 20 and 4 byte TCP Syn/Acks to and recieving
    replys back from.
    Makes HTTP get request to for wpad.dat (which isnt there,
    the site redirects to a park domain page at I can see the
    ascii of the html layout of the page in the dump.

    I called MS and spoke to someone at their "PC Safety Virus and Spyware"
    center. Let's just say, he wasn't very helpful. After an hour of him
    putting me on hold and having to explain what was going on like 10
    times, he told me to call my SysAdmin (I am the sysadmin!) and then to
    call the main MS Customer Service number. That was a loooot of fun.

    I could just block this all at my firewall (I have a 37 site frame
    network that all routes through one central office), but I want to know
    what this is and what it is doing. I have exhausted all of my other
    geek resources locally and googled til my fingers bled.

    Any ideas?


    PS...sorry for the long post
  2. Allenhan

    Allenhan OSNN One Post Wonder

    thanks for that great information...