[Dshield] Blaster, or AOL strangeness...

jamesmulick jamesmulick at columbus.rr.com
Wed Oct 8 22:37:56 GMT 2003


I am replying to this because I seem to have a problem with a machine I use
at home.

Two nights ago I opened an email from a trusted person from NIH in DC. A
strange window opened asking for a user name and password. I clicked cancel
a couple of times, it came up again and I did the same a few times. I
printed the main body of the email, and noted it had an attachment. I
deleted it. An internet Explorer window opened, apparently to a page from
Microsoft, suggesting I download an upgrade for Outlook, which I did. Just
before the Outlook upgrade window loaded another window opened briefly, a
smaller one, that said something like, you seem to have been infected by the
Blaster Worm. I dismissed this as strange. All this stuff is happening, but
with growing unease, I respond more or less reflexively.

Then my computer started to slow agonizingly. I rebooted, updated Norton AV,
ran checks of the system, ran pest patrol, everything seems OK, but is
slowing even more, with open programs becoming unresponsive to being closed.
Then I think of Norton Cleansweep. I open it and note that was a program
downloaded for the internet on that date, but I never did so intentionally.
I use Norton to locate all parts and delete. A 250mb program is deleted and
archived, identified as my Documents and Settings folder. Now I am scared. I
check that folder, but it seems to be there and OK. I delete the archived
folder. Computer is still slow.

After reboots and new virus checks I open Eudora. I find my Inbox contents
and all mail server info are deleted! I then Open Outlook, which uses other
email accounts, and when I go to my inbox, emails highlighted begin deleting
one at a time, slowly, about one per second. This seems very bas. I exit and
use Zone Alarm to stop all internet traffic.

Things stay this way until last night, when I look at resources used, and
see that CPU use is at max even though not much is running and that Visual
Zone is using about 250 megs of RAM. I shut down a few processes, including
Visual Zone, and the computer runs at normal speed. Outlook still deleted
inbox email one at a time, so I close it. Eudora, now reconfigured, works OK
and nothing new is deleted. That's about where I am. Note that I am sketchy
on what exactly happened with that strange email, and might have made errors
in the sequence of subsequent events or skipped relevant events because I
was not paying very close attention.

What happened to me? Is there a fix shot of reformatting the HD and
reinstalling everything. Are data files likely to reinfect if I put them
back on a reformatted drive? Feel free to forward this message to anyone who
might be interested or be able to help. THX.

James A. Mulick, Ph.D.
Professor, Pediatrics & Psychology
The Ohio State University
Columbus Children's Hospital
700 Children's Drive. CHPB-4
Columbus, OH 43205-2696
[No institutional endorsement of message content implied]


-----Original Message-----
From: list-bounces at dshield.org [<mailto:list-bounces at dshield.org>] On Behalf
Of Jason Brooks
Sent: Wednesday, October 08, 2003 8:15 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Blaster, or AOL strangeness...


John,
         I would wonder if this is the case.  These are the ports infected 
machines <<listen>> on, yes?  Unless AOL has an entire class C infected, 
this doesn't appear to be the case, at least from what we've seen here.  My 
contact with an individual at AOL stated that there was no openings on port 
4444 on the class C in question.
Jason Brooks
At 03:40 PM 10/7/2003 -0500, you wrote:
>Good answers and I checked, there are many trojans that use 4444, here
>is
>a website that lists all ports trojans use, could help track what is going
on.
><http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html>
>Sans has a list but the one above has more info.
><http://www.sans.org/resources/idfaq/oddports.php>
>
>JB
>
>
>>
>>We have been seeing this for at least one month.  I have been in
>>contact
>>with someone via another list who works for AOL.  There is nothing valid 
>>on port 4444 in the entire 205.188.134.xxx class C.  We haven't yet done 
>>any heavy packet digging, but some preliminary looking shows that AOL IM 
>>makes some use of 4444 on the client side.  The Sr Net Engineer here has 
>>also see some port scans that match the pattern of hits we saw on 
>>4444.  The 4444 destination hits always occurred in patterns of 3 or 
>>4.  They would occur in clumps of 3 or 4, sometimes up to 4 times at 
>>once, generating  a total of 12 to 16 packets per client, on average.  We 
>>still don't know what is triggering this.  Anyone else...?
>>
>>Glad we're not the only ones...
>>Jason Brooks
>>
>>
>>At 03:31 PM 10/7/2003 -0400, you wrote:
>>>Since applying filters to port 4444 (Blaster), some unusual entries
>>>have
>>>shown up.  Local machines are trying to connect to <host>.websys.aol.com 
>>>on port 4444.  What's up with this?
>>>
>>>Examples (munged to RFC1918 space):
>>>>Oct  7 13:38:57.372 EDT: list dorm-in denied tcp 172.18.57.70(4011)
>>>>->
>>>>205.188.134.233(4444), 1 packet
>>>>Oct  7 13:39:19.757 EDT: list dorm-in denied tcp 172.18.57.70(4013) 
>>>>->
>>>>205.188.134.233(4444), 1 packet
>>>>Oct  7 13:39:54.317 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 
>>>>205.188.134.233(4444), 1 packet
>>>>Oct  7 13:40:17.038 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 
>>>>205.188.134.233(4444), 1 packet
>>>>Oct  7 13:42:48.849 EDT: list dorm-in denied tcp 172.18.57.70(4011) -> 
>>>>205.188.134.233(4444), 2 packets
>>>>Oct  7 13:43:03.833 EDT: list dorm-in denied tcp 172.18.57.70(4013) -> 
>>>>205.188.134.233(4444), 2 packets
>>>>Oct  7 13:43:06.021 EDT: list dorm-in denied tcp 172.18.57.70(4018) -> 
>>>>205.188.134.233(4444), 2 packets
>>>>Oct  7 13:43:10.833 EDT: list dorm-in denied tcp 172.18.57.70(4021) -> 
>>>>205.188.134.233(4444), 1 packet
>>>>Oct  7 13:43:14.113 EDT: list dorm-in denied tcp 172.18.57.70(4022) -> 
>>>>205.188.134.233(4444), 1 packet
>>>>Oct  7 13:54:13.978 EDT: list dorm-in denied tcp 172.18.121.247(1726) 
>>>>-> 205.188.134.237(4444), 1 packet
>>>>Oct  7 13:54:34.911 EDT: list dorm-in denied tcp
>>>>172.18.121.247(1727)
>>>>-> 205.188.134.237(4444), 1 packet
>>>>Oct  7 13:59:54.805 EDT: list dorm-in denied tcp
>>>>172.18.121.247(1726)
>>>>-> 205.188.134.237(4444), 2 packets
>>>>Oct  7 14:15:54.324 EDT: list dorm-in denied tcp 172.18.33.71(3451)
>>>>->
>>>>205.188.134.234(4444), 1 packet
>>>>Oct  7 14:16:19.768 EDT: list dorm-in denied tcp 172.18.33.71(3453) 
>>>>->
>>>>205.188.134.234(4444), 1 packet
>>>>Oct  7 14:20:54.913 EDT: list dorm-in denied tcp 172.18.33.71(3451) -> 
>>>>205.188.134.234(4444), 2 packets
>>>>Oct  7 14:21:54.918 EDT: list dorm-in denied tcp 172.18.33.71(3453) -> 
>>>>205.188.134.234(4444), 2 packets
>>>>Oct  7 15:10:55.944 EDT: list dorm-in denied tcp 172.18.17.116(50268) 
>>>>-> 205.188.134.234(4444), 1 packet
>>>>Oct  7 15:12:10.793 EDT: list dorm-in denied tcp
>>>>172.18.17.116(50269)
>>>>-> 205.188.134.234(4444), 1 packet
>>>>Oct  7 15:12:26.773 EDT: list dorm-in denied tcp
>>>>172.18.17.116(50273)
>>>>-> 205.188.134.234(4444), 1 packet
>>>>Oct  7 15:16:55.195 EDT: list dorm-in denied tcp
>>>>172.18.17.116(50268)
>>>>-> 205.188.134.234(4444), 8 packets
>>>>Oct  7 15:17:55.199 EDT: list dorm-in denied tcp
>>>>172.18.17.116(50269)
>>>>-> 205.188.134.234(4444), 4 packets
>>>
>>>>Oct  7 14:39:11.441 EDT: list stop-sql denied tcp 172.16.89.50(1134)
>>>>->
>>>>205.188.134.237(4444), 1 packet
>>>>Oct  7 14:39:33.046 EDT: list stop-sql denied tcp 172.16.89.50(1136) 
>>>>->
>>>>205.188.134.237(4444), 1 packet
>>>>Oct  7 14:39:55.254 EDT: list stop-sql denied tcp 172.16.89.50(1141) -> 
>>>>205.188.134.235(4444), 1 packet
>>>>Oct  7 14:45:12.234 EDT: list stop-sql denied tcp 172.16.89.50(1136) -> 
>>>>205.188.134.237(4444), 2 packets
>>>
>>>>[jeff at netsyslog jeff]$ host 205.188.134.233
>>>>233.134.188.205.in-addr.arpa domain name pointer 
>>>>ht-s11.websys.aol.com. [jeff at netsyslog jeff]$ host 205.188.134.234 
>>>>234.134.188.205.in-addr.arpa domain name pointer 
>>>>ht-s12.websys.aol.com. [jeff at netsyslog jeff]$ host 205.188.134.235 
>>>>235.134.188.205.in-addr.arpa domain name pointer 
>>>>ht-s13.websys.aol.com. [jeff at netsyslog jeff]$ host 205.188.134.237 
>>>>237.134.188.205.in-addr.arpa domain name pointer 
>>>>ht-s15.websys.aol.com.
>>>
>>>Jeff
>>>
>>>
>>>_______________________________________________
>>>list mailing list
>>>list at dshield.org
>>>To change your subscription options (or unsubscribe), see: 
>>><http://www.dshield.org/mailman/listinfo/list>
>>
>>Jason Brooks
>>Information Security Technician
>>IITS
>>116 - B Coyner
>>Longwood University
>>201 High Street
>>Farmville, VA 23901
>>(434) 395-2796
>>
>>_______________________________________________
>>list mailing list
>>list at dshield.org
>>To change your subscription options (or unsubscribe), see: 
>><http://www.dshield.org/mailman/listinfo/list>
>
>_________________________________________________________________
>Share your photos without swamping your Inbox.  Get Hotmail Extra
>Storage
>today! <http://join.msn.com/?PAGE=features/es>
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
><http://www.dshield.org/mailman/listinfo/list>

Jason Brooks
Information Security Technician
IITS
116 - B Coyner
Longwood University
201 High Street
Farmville, VA 23901
(434) 395-2796

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
<http://www.dshield.org/mailman/listinfo/list>






More information about the list mailing list