Re: strange windows behaviour.

[Karl Levinson <levinson_k () despammed com>]

In-Reply-To: <20031007170330.GI1196 () sparky finchhaven net>

You've gotten some good advice already.  FWIW, I would not first suspect adware in either of the cases below. 

Regarding the university report, the fact that winservn.exe does not show up in a Google.com search plus the fact that 
it is listening for inbound connections does not make me think adware.  

In both incidents, I would want to save and submit the responsible file to the anti-virus vendor for inspection.

Regarding the original poster's incident, knowing the ports and remote IP addresses involved would be helpful.  If you 
haven't already, running one of the previously mentioned port inspecting tools such as Fport from 
Foundstone.com/knowledge that actually tells you what executable is generating the traffic should be done.  Inspecting 
firewall and IDS logs for traffic from the affected machines or ports and/or running a sniffer such as Ethereal, 
Windump or Snort could be useful.  [Windows Netstat utility doesn't give you that information unless you're running 
XP.]  Plus pretty much all the standard procedures one would do for incident response and inspection of mystery 
executables, as detailed in the Osborne book "Incident Response," at www.cert.org/tech_tips, http://csrc.nist.gov, etc.



> Date: Tue, 7 Oct 2003 10:03:30 -0700
> From: John Sage <jsage () finchhaven com>

> > I've got a bit of a problem, and I was wondering if anyone on this list
> > has seen similar things.  Recently, we've been having student windows
> > machines on our residential network begin spewing large, massive (on the
> > order of hundreds of thousands in a few hours) spam messages at our mail
> > servers.  We promptly disconnect the machines and head down to do some
> > forensic work on the boxes when we get a chance (usually after they call
> > to complain that the internet has died).


> From: Paul Russell <prussell () nd edu>
> To: unisog () sans org
> Subject: [unisog] Spam from student-owned computers
> Date: Mon, 06 Oct 2003 15:51:12 -0500
>
> Checking all of the programs that were automatically started at boot,
> it appeared as though the student had a lot of optional things running
> in the background, including winsrvn.exe.  He believed that this
> particular program was installed as part of Purity Scanner, which,
> apparently, scans one's hard drive for inappropriate materials.  It
> turns out that Purity is actually adware, and is often bundled with
> Grokster (P2P program).  Further, it looked as though the student was
> using Grokster.  From what I've been able to find with a web search,
> Grokster sometimes includes ancilary software that may contain back
> doors.  I had the student email me a zip of the winsrvn.exe for later
> examination.  The other mysterious process (system:4) seemed to
> disappear after I removed winservn.exe (perhaps the two were
> related?).
>
> /* end post fragment */
>
>
> HTH..

---------------------------------------------------------------------------
----------------------------------------------------------------------------