[Dshield] Remote attacks on SavRoam.exe from China

Waldi Krogmann waldi.krogmann at gmail.com
Sun Jun 26 10:36:29 GMT 2005


I've been getting weird alerts over the last few days, seems like port 
scans from locations in China.
This could possibly also be a virus/trojan, as it is trying to connect 
to Savroam.exe (Symantec Antivirus Roaming).
The ports vary, all in the upper range.

I have denied these requests everytime and even blocked a whole range of 
IPs, but it is still happening.
Have run several Antivurs / Spyware programs, so I assume this has to 
originate from the outside.

According to what I read, it's not advisable to stop Savroam.exe, so I'm 
still running it.

Any help will be appreciated.


Program Name 	SAVRoam 	A program running on your computer, which either 
attempted to send an IP packet over the Internet or is waiting for an 
incoming packet.
Filename 	SavRoam.exe 	The filename of the program that ZoneAlarm 
Security Suite found on your computer.
Program Version 	The version of SAVRoam running on your 
Program Size 	153416 	The size of the program executable file in bytes.
Program MD5 	4189f954fd79b7a0034e218f879d17a3 	The MD5 hash, or number, 
that uniquely identifies the executable.
Date Modified 	Dec-30-2004 02:19:36 PM 	The date when SavRoam.exe was 
most recently modified.
Connect Type 	Server 	This value can be either Access, which is an 
Internet connection attempt by SAVRoam or Server, which indicates that 
SAVRoam is waiting for connections coming in from the Internet.
Local Port 	46369 	The port SAVRoam is using to receive packets on the 
local computer.
Remote IP Address 	The IP address of the remote computer 
that caused the alert.
Alert Date 	Jun-25-2005 03:49:49 PM PDT 	The time when ZoneAlarm 
Security Suite detected the alert on your computer.

% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum: -
netname:      CNCGROUP-SC
descr:        CNC Group SiChuan province network
descr:        China Network Communications Group Corporation
descr:        No.156,Fu-Xing-Men-Nei Street,
descr:        Beijing 100031
country:      CN
admin-c:      CH455-AP
tech-c:       CH455-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CNCGROUP-SC
remarks:      service provider
changed:      hm-changed at apnic.net 20030120
source:       APNIC

role:         CNCGroup Hostmaster
e-mail:       abuse at cnc-noc.net
address:      No.156,Fu-Xing-Men-Nei Street,
address:      Beijing,100031,P.R.China
nic-hdl:      CH455-AP
phone:        +86-10-82993155
fax-no:       +86-10-82993102
country:      CN
admin-c:      CH444-AP
tech-c:       CH444-AP
changed:      abuse at cnc-noc.net 20041119
mnt-by:       MAINT-CNCGROUP
source:       APNIC

More information about the list mailing list