[Dshield] Remote attacks on SavRoam.exe from China
waldi.krogmann at gmail.com
Sun Jun 26 10:36:29 GMT 2005
I've been getting weird alerts over the last few days, seems like port
scans from locations in China.
This could possibly also be a virus/trojan, as it is trying to connect
to Savroam.exe (Symantec Antivirus Roaming).
The ports vary, all in the upper range.
I have denied these requests everytime and even blocked a whole range of
IPs, but it is still happening.
Have run several Antivurs / Spyware programs, so I assume this has to
originate from the outside.
According to what I read, it's not advisable to stop Savroam.exe, so I'm
still running it.
Any help will be appreciated.
Program Name SAVRoam A program running on your computer, which either
attempted to send an IP packet over the Internet or is waiting for an
Filename SavRoam.exe The filename of the program that ZoneAlarm
Security Suite found on your computer.
Program Version 18.104.22.1680 The version of SAVRoam running on your
Program Size 153416 The size of the program executable file in bytes.
Program MD5 4189f954fd79b7a0034e218f879d17a3 The MD5 hash, or number,
that uniquely identifies the executable.
Date Modified Dec-30-2004 02:19:36 PM The date when SavRoam.exe was
most recently modified.
Connect Type Server This value can be either Access, which is an
Internet connection attempt by SAVRoam or Server, which indicates that
SAVRoam is waiting for connections coming in from the Internet.
Local Port 46369 The port SAVRoam is using to receive packets on the
Remote IP Address 22.214.171.124 The IP address of the remote computer
that caused the alert.
Alert Date Jun-25-2005 03:49:49 PM PDT The time when ZoneAlarm
Security Suite detected the alert on your computer.
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 126.96.36.199 - 188.8.131.52
descr: CNC Group SiChuan province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
status: ALLOCATED PORTABLE
remarks: service provider
changed: hm-changed at apnic.net 20030120
role: CNCGroup Hostmaster
e-mail: abuse at cnc-noc.net
address: No.156,Fu-Xing-Men-Nei Street,
changed: abuse at cnc-noc.net 20041119
More information about the list