Wireshark-users: Re: [Wireshark-users] WindowsXP Broadcast question * Resolved *

From: Tim Takata <tim.takata@xxxxxxxxx>
Date: Wed, 10 Feb 2010 16:07:03 -0800
Some closure on this:

I found the culprit.

File Name: nettray.exe
File Path: C:\Documents and Settings\%infected-username%\Application Data\
File Size: 30 KB (30,720)

File Attributes: Read-only, Hidden

------------------

Conclusion: After further review it looks like it broadcasts 3 NBNS to
CN.KIND.CD every 5 seconds give or take. I found several hits on
google for Trojan/Backdoor relation to the file.

Thanks to everyone who responded.


Tim.


On Sun, Feb 7, 2010 at 7:11 AM, Stuart Kendrick <skendric@xxxxxxxxx> wrote:
> No, I haven't.  Windows boxes broadcast NBNS look-ups and announcements for
> a range of reasons, and chatter in this fashion with a loquacity I find
> astonishing.  But I haven't seen a single station broadcast with that
> frequency (every few seconds) nor look-up the NetBIOS name 'CN.KING.CD'.
>
> If I had to guess, I would make the same guess you are making.  Sounds like
> you have a bunch of boxes infected with some flavor of malware, (though I
> don't know why that malware is performing CN.KING.CD look-ups every few
> seconds, nor why it is using NBNS rather than DNS).
>
> Brain-storming here:  you could gather a list of the infected IP addresses
> using Wireshark, then perform NBNS look-ups on those addresses:
>
> C:\temp>nbtstat -A 10.11.88.152
>
> Hutch:
> Node IpAddress: [10.11.88.152] Scope Id: []
>
>           NetBIOS Remote Machine Name Table
>
>       Name               Type         Status
>    ---------------------------------------------
>    SALLY          <00>  UNIQUE      Registered
>    FHCRC          <00>  GROUP       Registered
>    SALLY          <20>  UNIQUE      Registered
>    FHCRC          <1E>  GROUP       Registered
>
>    MAC Address = 00-1A-A0-AF-A5-A9
>
>
> C:\temp>
>
> That gets you the NetBIOS name ('Sally') of the infected machine.  With a
> little local knowledge, perhaps you can track a NetBIOS name down to a
> physical location.
>
> hth,
>
> --sk
>
>
>>
>> Hi, I'm new to the list and thought I'd give this question a try.
>>
>>
>> Has anyone seen a NBNS Broadcast where all the nodes on a link/ subnet are
>> sending NBNS broadcasts with the following listed in Wireshark's
>> "Info" column: "Name query NB CN.KING.CD<00>"
>