Wireshark-users: Re: [Wireshark-users] Unexplained Netbios Traffic

From: Andrew Hood <ajhood@xxxxxxxxx>
Date: Thu, 02 Oct 2008 23:56:44 +1000
Jon Ziminsky wrote:
> I understand how NetBIOS works... This server has tried to contact 350
> hosts since this morning... All completely random.
> 
> The two I posted were examples of the 1000+ packets it has generated
> thus far today.
> 
> I have used Arin to lookup about 20 of the IPs and they are all over the
> board... From China to Amsterdam to the US...
> 
> The server in question is behind the corporate firewall, and has no
> outward facing ports. The firewall is blocking these packets before they
> leave the network.
> 
> Attached is a snippet of the capture files, as i tried to post the
> entire file and was told by the bot that my message was too big.

Virus? Trojan?

I can duplicate that trace with:

nmblookup -A 89.202.193.168

Because your firewall is dropping the traffic you don't see the ICMP
responses:

  1   0.000000 <hidden> -> 89.202.193.168 NBNS Name query NBSTAT
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
  2   0.346796 89.202.193.168 -> <hidden> ICMP Destination unreachable
(Port unreachable)
  3   2.062918 <hidden> -> 89.202.193.168 NBNS Name query NBSTAT
*<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>
  4   2.408237 89.202.193.168 -> <hidden> ICMP Destination unreachable
(Port unreachable)

You could try the following suggestion from
http://technet.microsoft.com/en-au/library/bb726981.aspx which will shut
it up completely

UseDnsOnlyForNameResolutions

Key: Netbt\Parameters

Value Type: REG_DWORD�Boolean

Valid Range: 0, 1 (false, true)

Default: 0 (false)

Description: This parameter is used to disable all NetBIOS name queries.
NetBIOS name registrations and refreshes are still used, and NetBIOS
sessions are still allowed. To completely disable NetBIOS on an
interface, see the NetbiosOptions parameter.

-- 
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who