Jump to content


Photo

Curious happenings - is it malware?


  • Please log in to reply
1 reply to this topic

#1 Pasa

Pasa

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 24 June 2004 - 03:30 PM

Ok, a few days ago Notepad.exe started requesting access to the internet, which I denied, I checked my firewall logs and low and behold Notepad is attempting to make and outbound connection every minute:

6:25:25 AM notepad.exe TCP OUT REFUSED 82.196.67.61 8923 Block activity for application NOTEPAD.EXE localhost(any) 1025
6:24:25 AM notepad.exe TCP OUT REFUSED 82.196.67.61 8923 Block activity for application NOTEPAD.EXE localhost(any) 1025
6:23:25 AM notepad.exe TCP OUT REFUSED 82.196.67.61 8923 Block activity for application NOTEPAD.EXE localhost(any) 1025
6:22:25 AM notepad.exe TCP OUT REFUSED 82.196.67.61 8923 Block activity for application NOTEPAD.EXE localhost(any) 1025

I made some checks on the address and this is what was reported:

nslookup 205.162.234.92
Server: localhost
Address: 127.0.0.1

Name: as-1-ppp-92.stwr.brightok.net
Address: 205.162.234.92

nslookup www.rxonlinedeals.biz
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: rxonlinedeals.biz
Addresses: 80.3.229.108, 205.162.234.92, 67.8.2.38, 67.75.26.238
81.220.133.244
Aliases: www.rxonlinedeals.biz

show ip cache flow | i 205.162.234.92
Se1/0 205.162.234.92 Fa2/1 24.116.154.132 01 0000 0000 18
Se1/0 205.162.234.92 Fa2/1 207.46.107.40 06 0715 0747 3
Se1/0 205.162.234.92 Fa2/1 82.196.65.32 06 0050 106C 159
Se1/0 205.162.234.92 Fa2/1 82.196.65.32 06 08EF 0050 17
Se1/0 205.162.234.92 Fa2/1 82.196.65.32 06 08EE 0050 87
Se1/0 205.162.234.92 Fa2/1 206.30.97.13 06 0050 BE8D 26

show ip cache flow | i 205.162.234.92
Se1/0 205.162.234.92 Fa2/1 24.116.154.132 01 0000 0000 20
Se1/0 205.162.234.92 Fa2/1 207.46.107.40 06 0715 0747 2
Fa2/1 24.116.154.132 Se1/0 205.162.234.92 01 0000 0800 6
Fa2/1 207.46.107.40 Se1/0 205.162.234.92 06 0747 0715 2
show ip cache flow | i 205.162.234.92
Se1/0 205.162.234.92 Fa2/1 24.116.154.132 01 0000 0000 2
Se1/0 205.162.234.92 Fa2/1 207.46.107.40 06 0715 0747 2
Fa2/1 24.116.154.132 Se1/0 205.162.234.92 01 0000 0800 4

Run Telnet
show ip cache flow | i 205.162.234.92
Fa2/1 206.30.97.13 Se1/0 205.162.234.92 06 C9B9 0050 6
Fa2/1 82.196.65.32 Se1/0 205.162.234.92 06 0050 08F2 12
Se1/0 205.162.234.92 Fa2/1 24.116.154.132 01 0000 0000 4
Se1/0 205.162.234.92 Fa2/1 82.196.65.32 06 08F2 0050 19
Fa2/1 24.116.154.132 Se1/0 205.162.234.92 01 0000 0800 6
Fa2/1 207.46.107.40 Se1/0 205.162.234.92 06 0747 0715 2

Wait a few seconds
show ip cache flow | i 205.162.234.92
Fa2/1 24.116.154.132 Se1/0 205.162.234.92 01 0000 0800 2
Se1/0 205.162.234.92 Fa2/1 82.196.65.32 06 08F3 270C 3
show ip cache flow | i 205.162.234.92
Se1/0 205.162.234.92 Fa2/1 24.116.154.132 01 0000 0000 8
show ip cache flow | i 205.162.234.92
Se1/0 205.162.234.92 Fa2/1 24.116.154.132 01 0000 0000 2
Se1/0 205.162.234.92 Fa2/1 207.46.107.40 06 0715 0747 2
Fa2/1 24.116.154.132 Se1/0 205.162.234.92 01 0000 0800 6
show ip cache flow | i 205.162.234.92
Se1/0 205.162.234.92 Fa2/1 24.116.154.132 01 0000 0000 4
Se1/0 205.162.234.92 Fa2/1 207.46.107.40 06 0715 0747 1
Fa2/1 24.116.154.132 Se1/0 205.162.234.92 01 0000 0800 4
Fa2/1 207.46.107.40 Se1/0 205.162.234.92 06 0747 0715 2
show ip cache flow | i 205.162.234.92
Se1/0 205.162.234.92 Fa2/1 24.116.154.132 01 0000 0000 8

Telnet to reverse proxy
show ip cache flow | i 205.162.234.92
Fa2/1 206.30.97.13 Se1/0 205.162.234.92 06 D483 0050 8
Fa2/1 82.196.65.32 Se1/0 205.162.234.92 06 0050 08F4 12
Se1/0 205.162.234.92 Fa2/1 24.116.154.132 01 0000 0000 5
Se1/0 205.162.234.92 Fa2/1 207.46.107.40 06 0715 0747 2
Se1/0 205.162.234.92 Fa2/1 82.196.65.32 06 08F4 0050 19
Fa2/1 24.116.154.132 Se1/0 205.162.234.92 01 0000 0800 6
Fa2/1 207.46.107.40 Se1/0 205.162.234.92 06 0747 0715 2

Wait a few seconds
show ip cache flow | i 205.162.234.92
Se1/0 205.162.234.92 Fa2/1 24.116.154.132 01 0000 0000 9
Fa2/1 24.116.154.132 Se1/0 205.162.234.92 01 0000 0800 11


telnet 82.196.65.32 80
GET http://www.rxonlined....biz/aff5/?avon HTTP/1.0

IP gives the website. Perhaps another reverse proxy (2 pronged?), but may
be the originating site.

nslookup rxonlinedeals.biz
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: rxonlinedeals.biz
Addresses: 68.186.194.54, 64.168.28.237, 68.54.174.186, 195.242.105.210
68.164.93.228

IP rotated out.

82.196.65.32 is:

whois -h whois.ripe.net 82.196.65.32
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/.../copyright.html

inetnum: 82.196.64.0 - 82.196.67.255
netname: ANTR-NET
descr: Secure2.Net Hi-Tech Datacenter
country: RU
admin-c: VB788-RIPE
tech-c: SNOT1-RIPE
status: ASSIGNED PA
notify: noc@secure2.net
mnt-by: SECURE2-MNT
changed: quark@comset.net 20031112
source: RIPE

route: 82.196.64.0/21
descr: SECURE2 block anounced to RN
origin: AS13075
mnt-by: SECURE2-MNT
changed: change@this.please 20031125
source: RIPE

role: SECURE2 Network Operation Team
address: Secure2.Net/Internet Network Operations
e-mail: noc@secure2.net
trouble: Points of contact for SECURE-2-NETWORK Operations
trouble: -----------------------------------------------------------
trouble: Routing and peering issues: noc@secure2.net
trouble: SPAM issues: abuse@secure2.net
trouble: Network security issues: network@secure2.net
trouble: Mail and News issues: postmaster@secure2.net
trouble: Customer support: support@secure2.net
trouble: General information: info@secure2.net
trouble: -----------------------------------------------------------
admin-c: VB788-RIPE
tech-c: VB788-RIPE
nic-hdl: SNOT1-RIPE
notify: quark@comset.net
changed: quark@comset.net 20031112
source: RIPE

person: Vladimir Belkin
address: Nekrasova st. 16
address: St. Petersburg, 19000
phone: +7 812 1185566
fax-no: +7 812 1185566
e-mail: admin@secure2.net
nic-hdl: VB788-RIPE
notify: quark@comset.net
changed: quark@comset.net 20031112
source: RIPE

Original report follows:

Received: from mx1.spamcop.net (mx1.spamcop.net [216.127.55.202])
by boomer.brightok.net (8.12.10/8.12.10) with ESMTP id hAQEfiaK003519
for <abuse@brightok.net>; Wed, 26 Nov 2003 08:41:45 -0600 (CST)
Received: from unknown (HELO spamcop.net) (192.168.0.1)
by mx1.spamcop.net with SMTP; 26 Nov 2003 07:44:48 +0000
Received: from [63.231.128.154] by spamcop.net
with HTTP; Wed, 26 Nov 2003 14:41:44 GMT
From: 504008481@reports.spamcop.net
To: abuse@brightok.net
Subject: [SpamCop (http://www.rxonlined....biz/aff5/?sent) id:504008481]Fast & easy way to get your medication today!stellar
Precedence: list
Message-ID: <rid_504008481@msgid.spamcop.net>
Date: Tue, 25 Nov 2003 19:44:46 -0600 (CST)
X-SpamCop-sourceip: 160.94.119.142
X-Mailer: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/103u (KHTML, like Gecko) Safari/100.1
via http://www.spamcop.net/ v1.3.4

[ SpamCop V1.3.4 ]
This message is brief for your comfort. Please use links below for details.

Spamvertised website: http://www.rxonlined....biz/aff5/?sent
Additional links on www.rxonlinedeals.biz:
http://www.rxonlined...iz/aff5/?coffin
http://www.rxonlined...ff5/?mastermind
http://www.rxonlined...iz/aff5/?pencil
http://www.rxonlined...ff5/?marionette
http://www.rxonlined...aff5/?dirichlet
http://www.rxonlined...f5/?mesopotamia
http://www.rxonlined....biz/aff5/?sent
http://www.rxonlined....biz/byebye.php
http://www.rxonlined...z/aff5/?colicky
http://www.rxonlined....biz/aff5/?avon
http://www.rxonlined...biz/aff5/?grill
http://www.rxonlined...aff5/?indignity
http://www.rxonlined....biz/aff5/?sent is 205.162.234.92; Wed, 26 Nov 2003 14:39:28 GMT
http://www.spamcop.n...add97dccec527bz

[ Offending message ]
"From qsqb45s@myfastmail.com Tue Nov 25 19:44:46 2003
"
Return-Path: <qsqb45s@myfastmail.com>
Received: from mhub-m5.tc.bla.email (mhub-m5.tc.bla.email [160.94.23.35]) by diamond.tc.bla.email with ESMTP for x; Tue, 25 Nov 2003 19:44:46 -0600 (CST)
X-Umn-Remote-Mta: [N] mhub-m5.tc.bla.email #+LO+NM
Received: from student01svr.csom.bla.email (notes2.csom.bla.email [160.94.119.142] (may be forged)) by mhub-m5.tc.bla.email with ESMTP for x; Tue, 25 Nov 2003 19:44:46 -0600 (CST)
X-Umn-Remote-Mta: [N] notes2.csom.bla.email #+HF+LO+UF+CL+OF (L,-)
X-Umn-Report-As-Spam: <http://bla.email/mc/...QgU1hWeZO1IkVFk
3GZr$N3M1kWYd5mck>
Received: from computer.cpe.jspr.al.charter.com ([67.97.194.180])
by student01svr.csom.bla.email (Lotus Domino Release 6.0.3)
with SMTP id 2003112519495361-45 ;
Tue, 25 Nov 2003 19:49:53 -0600
Received: from [196.80.57.95] by computer.cpe.jspr.al.charter.com with SMTP; Wed, 26 Nov 2003 06:41:24 +0500
Message-ID: <vdvb_______t064@xrjeal>
From: "Lloyd Purvis" <qsqb45s@myfastmail.com>
Reply-To: "Lloyd Purvis" <qsqb45s@myfastmail.com>
To: x
Subject: Fast & easy way to get your medication today!stellar
Date: Wed, 26 Nov 2003 06:41:24 GMT
X-Mailer: lukewarm they liquidate9835
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-MIMETrack: Itemize by SMTP Server on Student01SVR/Student/CarlsonSchool(Release 6.0.3|September
26, 2003) at 11/25/2003 07:49:54 PM,
Serialize by Router on Student01SVR/Student/CarlsonSchool(Release 6.0.3|September
26, 2003) at 11/25/2003 07:50:01 PM,
Serialize complete at 11/25/2003 07:50:01 PM
Content-Type: multipart/alternative;
boundary="8A80_1EF0_"


--8A80_1EF0_
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;

<html>

<head>
<meta http-equiv=3D"Content-Language" content=3D"en-us">
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dwindows-=
1252">
<title>ghhgfhffsshhsg</title>
</head>

<body>

<table border=3D"1" cellspacing=3D"1" style=3D"border-collapse: collapse" =
bordercolor=3D"#0033CC" width=3D"525" height=3D"24">
<tr>
<td width=3D"100%" height=3D"16" bgcolor=3D"#0033CC" align=3D"center" =
bordercolor=3D"#0033CC">
<b><font face=3D"Verdana" size=3D"1" color=3D"#FFFFFF">Prescription Dr=
ugs Shipped
Overnight to Your Door!</font></b></td>
</tr>
<tr>
<td width=3D"100%" height=3D"36" bgcolor=3D"#FFFF99" align=3D"center" =
bordercolor=3D"#0033CC">
<i><b><a href=3D"http://www.rxonlined.../aff5/?coffin">
<font face=3D"Verdana" color=3D"#0033CC" size=3D"4">Visit Our Online D=
rugstore Now
& SAVE!</font></a></b></i></td>
</tr>
<tr>
<td width=3D"100%" height=3D"18" bgcolor=3D"#0033CC">
<p align=3D"center"><b><font face=3D"Verdana" size=3D"1" color=3D"#FFF=
FFF">Free Prescriptions
by Licensed US Doctors!</font></b></p>
</td>
</tr>

</table>
<table border=3D"0" cellspacing=3D"1" style=3D"border-collapse: collapse" =
bordercolor=3D"#111111" width=3D"525" height=3D"257">
<tr>
<td width=3D"100%" height=3D"254" align=3D"center"><font size=3D"2" fa=
ce=3D"Arial">
<font color=3D"#000080">Trim your waistline with:</font> <b>
<font color=3D"#0033CC"><a href=3D"http://www.rxonlinedeals.biz/aff5/?=
dirichlet">
<font color=3D"#0033CC">Phentermine, Bontril, Didrex & more...</fo=
nt></a></font></b>
<i><font color=3D"#FF0000"><b>Starting at Only $79!</b></font></i></fo=
nt><font face=3D"Arial" size=3D"2" color=3D"#000080"><br>
</font><font size=3D"1" color=3D"#CCCCCC" face=3D"Arial Narrow">=
silty</font><font face=3D"Arial" size=3D"2" color=3D"#000080"><br>
Eliminate arthritic pain with:</font><font size=3D"2" face=3D"Arial"> =

<b>
<font color=3D"#0033CC"><a href=3D"http://www.rxonlinedeals.biz/aff5/?=
sent">
<font color=3D"#0033CC">Fioricet, Vioxx, Tramadol & more..</font><=
/a></font></b>
<i><font color=3D"#FF0000"><b>Starting at Only $99!</b></font></i></fo=
nt><font face=3D"Arial" size=3D"2" color=3D"#000080"><br>
</font><font size=3D"1" color=3D"#CCCCCC" face=3D"Arial Narrow">=
motorola</font><font face=3D"Arial" size=3D"2" color=3D"#000080"><br>
Relax all your muscles with:</font><font size=3D"2" face=3D"Arial">
<font color=3D"#0033CC"><a href=3D"http://www.rxonlinedeals.biz/aff5/?=
mastermind">
<b><font color=3D"#0033CC">Soma</font></b></a></font><a href=3D"http:/=
/www.rxonlinedeals.biz/aff5/?pencil"><font color=3D"#0033CC"><b>,
Flexeril, Skelaxin & more...</b></font></a> <i><font color=3D"#FF0=
000"><b>Starting
at Only $99!</b></font></i></font><font face=3D"Arial" size=3D"2" colo=
r=3D"#000080"><br>
</font><font size=3D"1" color=3D"#CCCCCC" face=3D"Arial Narrow">=
custody</font><font face=3D"Arial" size=3D"2" color=3D"#000080"><br>
Improve your vitality with:</font><font size=3D"2" face=3D"Arial"> <b>=

<a href=3D"http://www.rxonlined...rionette"><font colo=
r=3D"#0033CC">
Viagrra, Valtrex, Acyclovir & more...</font></a><font color=3D"#00=
33CC">
</font></b> <i><font color=3D"#FF0000"><b>Starting at Only $79!</=
b></font></i></font><font face=3D"Arial" size=3D"2" color=3D"#000080"><br>=

</font><font size=3D"1" color=3D"#CCCCCC" face=3D"Arial Narrow">=
tribute</font><font face=3D"Arial" size=3D"2" color=3D"#000080"><br>
Eliminate your depression with:</font><font size=3D"2" face=3D"Arial">=

<a href=3D"http://www.rxonlined...f5/?avon"><font colo=
r=3D"#0033CC">
<b>Paxil, Prozac, Zoloft & more... </b></font></a> <i><font c=
olor=3D"#FF0000"><b>Starting
at Only $115!</b></font></i></font><font face=3D"Arial" size=3D"2" col=
or=3D"#000080"><br>
</font><font size=3D"1" color=3D"#CCCCCC" face=3D"Arial Narrow">=
eisner</font><font face=3D"Arial" size=3D"2" color=3D"#000080"><br>
WOMEN - </font><font size=3D"2" face=3D"Arial"><font color=3D"#0033CC"=
><b>
<a href=3D"http://www.rxonlined...?colicky"><font colo=
r=3D"#0033CC">
Birth Control, Skin Care, Enhancements & more....</font></a></b></=
font><i><font color=3D"#FF0000"><b>
Starting at Only $49!</b></font></i></font><font face=3D"Arial"
size=3D=
"2" color=3D"#000080"><br>
</font><font size=3D"1" color=3D"#CCCCCC" face=3D"Arial Narrow">=
iliac</font><font face=3D"Arial" size=3D"2" color=3D"#000080"><br>
MEN - </font><font size=3D"2" face=3D"Arial"><font color=3D"#0033CC"><=
b>
<a href=3D"http://www.rxonlined...opotamia"><font colo=
r=3D"#0033CC">
Quit Smoking, Prevent Hair Losss, Impotence & more..</font></a></b=
></font><i><font color=3D"#FF0000"><b>
Starting at Only $79!</b></font></i></font><font face=3D"Arial"
size=3D=
"2" color=3D"#000080"><br>
</font><font size=3D"1" color=3D"#CCCCCC" face=3D"Arial Narrow">=
yell</font><font face=3D"Arial" size=3D"2" color=3D"#000080"><br>
FOR EVERYONE - </font><font size=3D"2" face=3D"Arial"><i><font
color=3D=
"#FF0000">
<b><a href=3D"http://www.rxonlined...f5/?indignity">
<font color=3D"#FF0000">Sleeping Aids, Allergy Protection, Heartburn R=
elief and
MORE...!</font></a></b></font></i></font></td>
</tr>

</table>
<table border=3D"1" cellspacing=3D"1" style=3D"border-collapse: collapse" =
bordercolor=3D"#0033CC" width=3D"525" height=3D"24">
<tr>
<td width=3D"100%" height=3D"16" bgcolor=3D"#0033CC" align=3D"center" =
bordercolor=3D"#0033CC">
<b><font face=3D"Verdana" size=3D"1" color=3D"#FFFFFF">Prescription Dr=
ugs Shipped
Overnight to Your Door!</font></b></td>
</tr>
<tr>
<td width=3D"100%" height=3D"36" bgcolor=3D"#FFFF99" align=3D"center" =
bordercolor=3D"#0033CC">
<i><b><a href=3D"http://www.rxonlined...z/aff5/?grill">
<font face=3D"Verdana" color=3D"#0033CC" size=3D"4">Visit Our Online D=
rugstore Now
& SAVE!</font></a></b></i></td>
</tr>
<tr>
<td width=3D"100%" height=3D"18" bgcolor=3D"#0033CC">
<p align=3D"center"><b><font face=3D"Verdana" size=3D"1" color=3D"#FFF=
FFF">Free Prescriptions
by Licensed US Doctors!</font></b></p>
</td>
</tr>

</table>
<p><font size=3D"1" color=3D"#CCCCCC" face=3D"Arial Narrow">xeddh ncf wm</=
font></p>
<p><b><font face=3D"Tahoma" size=3D"1">
<a href=3D"http://www.rxonlined...ye.php">-Delete my email from =
your mailing
list-</a></font></b></p>

</body>

</html>

--8A80_1EF0_--
____________________________________________________________________

Curious!


I have Spybot and Spysweeper resident but I ran scans with both, I also ran a scan with Adaware and a couple of antikeyloggers, I have also run Hijackthis and cws all of whom report clean, as does my AV and Trojan scanner?

It would seem that somehow Notepad was beking started in HKCU/Run via taskman, which I have deleted, but curiously if I run Notepad it replaces the entry?

Anyone any thoughts on this.

Thanks for reading.

Pasa

#2 Pasa

Pasa

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 25 June 2004 - 03:09 PM

I still have the problem with notepad, even though I remove the entry from HKCU/Run something keeps putting it back?

Thoughts anyone?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button