Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WindowsXP Broadcast question * Resolved *

From: Tim Takata <tim.takata () gmail com>
Date: Wed, 10 Feb 2010 16:07:03 -0800
Some closure on this:

I found the culprit.

File Name: nettray.exe
File Path: C:\Documents and Settings\%infected-username%\Application Data\
File Size: 30 KB (30,720)

File Attributes: Read-only, Hidden

------------------

Conclusion: After further review it looks like it broadcasts 3 NBNS to
CN.KIND.CD every 5 seconds give or take. I found several hits on
google for Trojan/Backdoor relation to the file.

Thanks to everyone who responded.


Tim.


On Sun, Feb 7, 2010 at 7:11 AM, Stuart Kendrick <skendric () fhcrc org> wrote:

No, I haven't.  Windows boxes broadcast NBNS look-ups and announcements for
a range of reasons, and chatter in this fashion with a loquacity I find
astonishing.  But I haven't seen a single station broadcast with that
frequency (every few seconds) nor look-up the NetBIOS name 'CN.KING.CD'.

If I had to guess, I would make the same guess you are making.  Sounds like
you have a bunch of boxes infected with some flavor of malware, (though I
don't know why that malware is performing CN.KING.CD look-ups every few
seconds, nor why it is using NBNS rather than DNS).

Brain-storming here:  you could gather a list of the infected IP addresses
using Wireshark, then perform NBNS look-ups on those addresses:

C:\temp>nbtstat -A 10.11.88.152

Hutch:
Node IpAddress: [10.11.88.152] Scope Id: []

          NetBIOS Remote Machine Name Table

      Name               Type         Status
   ---------------------------------------------
   SALLY          <00>  UNIQUE      Registered
   FHCRC          <00>  GROUP       Registered
   SALLY          <20>  UNIQUE      Registered
   FHCRC          <1E>  GROUP       Registered

   MAC Address = 00-1A-A0-AF-A5-A9


C:\temp>

That gets you the NetBIOS name ('Sally') of the infected machine.  With a
little local knowledge, perhaps you can track a NetBIOS name down to a
physical location.

hth,

--sk




Hi, I'm new to the list and thought I'd give this question a try.


Has anyone seen a NBNS Broadcast where all the nodes on a link/ subnet are
sending NBNS broadcasts with the following listed in Wireshark's
"Info" column: "Name query NB CN.KING.CD<00>"



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: