AMSNMGR.EXE and Port 27374
jbrooks at longwood.edu
Fri Nov 14 22:02:14 GMT 2003
We recently noticed traffic originating from one student computer going to
port 27374, Sub Seven. I had the opportunity to check this computer out
today. What I found was a plethora of connections listening on 27374 and
fport reported that it was the program amsnmgr.exe. I googled for the
name, but found nothing. The symptoms were as follows:
- amsnmgr.exe in C:\WINNT\system32\
- Called from the Registry in the Run and Runonce keys, once each. The
name of the keys was Winsock2 Drvr or Driver
- While this process was running, netstat -a would not produce consistent
output, e.g., it would not always show any activity. I wonder if that was
due to overloaded connections?
- While the process was running, you could not access regedit or the task
- Booting to safe mode defeated this and allowed removal of the registry
keys. Upon restart, everything is OK, which was not my expectation.
Has anyone seen this? McAfee with DATs dated 11/5/03 did not detect
this. Searching for the file name at nai.com and symantec.com returned no
results. Is is a part of SubSeven?
Any help would be greatly appreciated.
Information Security Technician
116 - B Coyner
201 High Street
Farmville, VA 23901
More information about the unisog