On Monday 11 Oct 2004 7:22 am, Richard Urwin wrote:
> On Sunday 10 Oct 2004 4:56 pm, Freenet-Old wrote:
> > Dear Sirs and Mesdames,
> >
> > I hope you could help me. Yesterday I installed etheral to oberseve
> > my Cable-Modem-Internet connection. Why? Since a cuple of weeks I
> > can see flashing lights on my modem - indicating network traffic -
> > but no program ist open nor the IE is running. My provider shows me
> > 1 GB of upload. Hmm. Etheral showed me, that when all known
> > web-applications on my PC are closed, 100 % of entwork traffic come
> > from using the ARP-Protokol, broadcasting somthing like "who is" or
> > "hihi..."? How can I identify the source of the traffic and how can
> > I stop it? It would be great to hear from you.
>
> Several well-known viruses do that. I suggest you update your
> anti-virus database and do a full scan.
There's a new virus out that the anti-virus packages only caught within
the last few days, wootbot. They haven't got any details on it yet, so
this is based on my experience:
It appears to do start off with very rapid ARP messages to random IP
addresses within the local network (depending on the IP address class,
not the netmask.) It then connects to any machines it finds on TCP port
445.
To fix it open the Task Manager and end process msmsgs.exe, then remove
msmsgs.exe from the system32 folder. To avoid re-infection get
up-to-date with windowsupdate.com.
There may be other filenames, but this is the only variant that we
caught at our office.
--
Richard Urwin