AMSNMGR.EXE and Port 27374

Jason Brooks jbrooks at longwood.edu
Fri Nov 14 22:02:14 GMT 2003


We recently noticed traffic originating from one student computer going to 
port 27374, Sub Seven.  I had the opportunity to check this computer out 
today.  What I found was a plethora of connections listening on 27374 and 
fport reported that it was the program amsnmgr.exe.  I googled for the 
name, but found nothing.  The symptoms were as follows:

-  amsnmgr.exe in C:\WINNT\system32\
-  Called from the Registry in the Run and Runonce keys, once each.  The 
name of the keys was Winsock2 Drvr or Driver
-  While this process was running, netstat -a would not produce consistent 
output, e.g., it would not always show any activity.  I wonder if that was 
due to overloaded connections?
-  While the process was running, you could not access regedit or the task 
manager.
-  Booting to safe mode defeated this and allowed removal of the registry 
keys.  Upon restart, everything is OK, which was not my expectation.

Has anyone seen this?  McAfee with DATs dated 11/5/03 did not detect 
this.  Searching for the file name at nai.com and symantec.com returned no 
results.  Is is a part of SubSeven?

Any help would be greatly appreciated.
Jason Brooks

Jason Brooks
Information Security Technician
IITS
116 - B Coyner
Longwood University
201 High Street
Farmville, VA 23901
(434) 395-2796



More information about the unisog mailing list