3 replies to this topic

[SpliFF]

When I insert the (legitimate) DVD "Stargate SG-1 - Children of the Gods (Final Cut 2009)" on my Windows machine my Comodo Firewall reports a process with a random, single letter name (seemingly a letter in unicode) attempting to do one of the following (it seems random which):

* listen on 0.0.0.0:0
* listen on 0.0.0.0:30
* listen on 0.0.0.0:60
* connect to 166.84.48.97:230
* connect to 62.136.230.97:196
* connect to 164.205.72.98:120
* do nothing

I suspect these attempts are actually tests to probe or bypass my firewall. I have not allowed it past this point because I have no idea what it intends to do once it connects.

The process has hidden itself from Task Manager (which is not unusual) but surprisingly it is also able to hide from the MSDN "Process Explorer" which I understood to be much more thorough.

I tried Googling for "Children of the Gods" +spyware and found nothing.

Does anyone out there have more information on this probable spyware/malware/rootkit?

Edited by SpliFF, 11 August 2009 - 07:15 AM.

[jedi]

Results of IP lookups for those addresses:
http://www.dnsstuff....dnsstufftoolbar
Panix Public Access Internet

http://www.dnsstuff....dnsstufftoolbar
Energis UK

and curiously:
http://www.dnsstuff....dnsstufftoolbar
DoD Network Information Center

Any of these mean anything to you?

jedi

[SpliFF]

Any of these mean anything to you?

No.

I can also add some additional information since I posted:

* The issue is not limited to the Stargate movie. I am now seeing the alert for other discs. Whatever it is has installed itself between the drive and the system.

* Another potential culprit could be the movie "Blindness" (another new release - pretty boring too) which I watched last night. I haven't installed any software lately, I use FF with noscript, I have no email on this PC and my LAN connection is firewalled so the most likely means of infection is still a rootkit DVD (especially since the primary symptom appears to be an attempt to report DVD viewing. I only hired "Blindness" and it's gone back now so I cannot check that disc.

EDIT: On second thoughts I watched Blindness at a friends house, I don't believe I ever put it in this PC (I can't remember).

* Other addresses are:
146.112.212.108 (Alcatel-Lucent Austria AG) Vienna
194.109.38.109 (XS4ALL Internet BV) Amsterdam
160.139.208.106:78 (Another DoD NIC address)

Edited by SpliFF, 11 August 2009 - 10:23 AM.

[jedi]

Hmm, odd. Where are you based and who is your ISP?

Edit: Can you start a topic here:
http://www.spywarein...hp?showforum=28
post the link to it here, and I'll do some investigating.