Malware

General discussion

Gravatar
Locked

Virus that opens multiple internet connections..

By bob.hunt ·
eventually fills the Sonicwall cache and it has to be reset. Anybody know of something like this? The other day, our office lost internet connectivity. We checked our Sonicwall firewall and found that the cache was full. When we reset the unit, you could keep hitting F5 and watch the cache quickly climb to its max in no time. We tracked down the IP address on the subnet with the last octet being 255! That was weird. Then I tracked it to another computer that was forwarding it to the 255 address. We unplugged the network connection to that PC and the flooding stopped. I've run NAV and Spyware software, but to with no results. As soon as I plug in the computer again, it starts flooding again. Any thoughts? BTW, I have a couple more in other offices doing the same thing.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
+ Follow this Discussion ·
| Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

255?

by house In reply to Virus that opens multiple ...

What is the class of the IP address? Is this coming from within your network? Is the 255 part of an actual broadcast address? If it is your own address, how do you subnet your network? Is the cache only showing the ip?

*Network interface cards like to talk when they are about to go out the door. I've had NICs broadcasting up a storm right before they fry themselves. Strange behavior, but not uncommon.

gravatar
Collapse -

Subnetting and Chatting

by BFilmFan In reply to 255?

I was thinking that if he had something like 10.10.10.0/23, he could well have a 10.10.10.255 address available.

I am assuming that this is an Ethernet and not a token ring network as he didn't mention beaconing.

And I am agreeing with the other commentor that this sounds like a bot running from IRC doing DDNS attacks.

gravatar
Collapse -

Token ring?

by house In reply to Subnetting and Chatting

I hope it is not a token ring network.

Then again it is a ".edu".

gravatar
Collapse -

Could be IRC punks

by house In reply to Virus that opens multiple ...

Is anyone in your office using an irc client? Do you have IIS open? Look on the problem PC(s) for strange entries in c: and wutemp.
Check winnt or windows folder for unknown folder names.
Do a search for *.bat and check them out.
Do a search for *.txt. (they like to leave signatures)
Google "xdcc" and see if this looks familiar.

gravatar
Collapse -

Disable DCOM port

by NT In reply to Could be IRC punks

I had the same problem. I made sure that all the computers had patch kb824146 and kb823980 from microsoft and I disabled the dcom port in the registry. It worked for me.

gravatar
Collapse -

Fried NIC???

by Bruce Epper In reply to Virus that opens multiple ...

I've seen this general type of problem a few times in the past and it normally turns out to be a defective NIC. If it continues after replacing the NIC, check for the specific ports that it is broadcasting on.

Back to Malware Forum
6 total posts (Page 1 of 1)  

Start or search

Related Discussions

Related Forums