Ethereal-users: Re: [Ethereal-users] ARP-Protokoll

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Richard Urwin <richard@xxxxxxxxxxxxxxx>
Date: Mon, 11 Oct 2004 17:49:15 +0100
On Monday 11 Oct 2004 7:22 am, Richard Urwin wrote:
> On Sunday 10 Oct 2004 4:56 pm, Freenet-Old wrote:
> > Dear Sirs and Mesdames,
> >
> > I hope you could help me. Yesterday I installed etheral to oberseve
> > my Cable-Modem-Internet connection. Why? Since a cuple of weeks I
> > can see flashing lights on my modem - indicating network traffic -
> > but no program ist open nor the IE is running. My provider shows me
> > 1 GB of upload. Hmm. Etheral showed me, that when all known
> > web-applications on my PC are closed, 100 % of entwork traffic come
> > from using the ARP-Protokol, broadcasting somthing like "who is" or
> > "hihi..."? How can I identify the source of the traffic and how can
> > I stop it? It would be great to hear from you.
>
> Several well-known viruses do that. I suggest you update your
> anti-virus database and do a full scan.

There's a new virus out that the anti-virus packages only caught within 
the last few days, wootbot. They haven't got any details on it yet, so 
this is based on my experience:

It appears to do start off with very rapid ARP messages to random IP 
addresses within the local network (depending on the IP address class, 
not the netmask.) It then connects to any machines it finds on TCP port 
445.

To fix it open the Task Manager and end process msmsgs.exe, then remove 
msmsgs.exe from the system32 folder. To avoid re-infection get 
up-to-date with windowsupdate.com.

There may be other filenames, but this is the only variant that we 
caught at our office.

-- 
Richard Urwin