Wireshark mailing list archives
Re: WindowsXP Broadcast question * Resolved *
From: Tim Takata <tim.takata () gmail com>
Date: Wed, 10 Feb 2010 16:07:03 -0800
Some closure on this: I found the culprit. File Name: nettray.exe File Path: C:\Documents and Settings\%infected-username%\Application Data\ File Size: 30 KB (30,720) File Attributes: Read-only, Hidden ------------------ Conclusion: After further review it looks like it broadcasts 3 NBNS to CN.KIND.CD every 5 seconds give or take. I found several hits on google for Trojan/Backdoor relation to the file. Thanks to everyone who responded. Tim. On Sun, Feb 7, 2010 at 7:11 AM, Stuart Kendrick <skendric () fhcrc org> wrote:
No, I haven't. Windows boxes broadcast NBNS look-ups and announcements for a range of reasons, and chatter in this fashion with a loquacity I find astonishing. But I haven't seen a single station broadcast with that frequency (every few seconds) nor look-up the NetBIOS name 'CN.KING.CD'. If I had to guess, I would make the same guess you are making. Sounds like you have a bunch of boxes infected with some flavor of malware, (though I don't know why that malware is performing CN.KING.CD look-ups every few seconds, nor why it is using NBNS rather than DNS). Brain-storming here: you could gather a list of the infected IP addresses using Wireshark, then perform NBNS look-ups on those addresses: C:\temp>nbtstat -A 10.11.88.152 Hutch: Node IpAddress: [10.11.88.152] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- SALLY <00> UNIQUE Registered FHCRC <00> GROUP Registered SALLY <20> UNIQUE Registered FHCRC <1E> GROUP Registered MAC Address = 00-1A-A0-AF-A5-A9 C:\temp> That gets you the NetBIOS name ('Sally') of the infected machine. With a little local knowledge, perhaps you can track a NetBIOS name down to a physical location. hth, --skHi, I'm new to the list and thought I'd give this question a try. Has anyone seen a NBNS Broadcast where all the nodes on a link/ subnet are sending NBNS broadcasts with the following listed in Wireshark's "Info" column: "Name query NB CN.KING.CD<00>"
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: WindowsXP Broadcast question * Resolved * Tim Takata (Feb 11)