[unisog] AMSNMGR.EXE and Port 27374

Lois Lehman LOIS.LEHMAN at asu.edu
Tue Nov 25 15:23:03 GMT 2003


Jason, it might be related to this:

http://sourceforge.net/projects/amsn/


Lois Lehman
College Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139


-----Original Message-----
From: Jason Brooks [mailto:jbrooks at longwood.edu] 
Sent: Friday, November 14, 2003 3:02 PM
To: unisog at sans.org
Subject: [unisog] AMSNMGR.EXE and Port 27374

We recently noticed traffic originating from one student computer going
to 
port 27374, Sub Seven.  I had the opportunity to check this computer out

today.  What I found was a plethora of connections listening on 27374
and 
fport reported that it was the program amsnmgr.exe.  I googled for the 
name, but found nothing.  The symptoms were as follows:

-  amsnmgr.exe in C:\WINNT\system32\
-  Called from the Registry in the Run and Runonce keys, once each.  The

name of the keys was Winsock2 Drvr or Driver
-  While this process was running, netstat -a would not produce
consistent 
output, e.g., it would not always show any activity.  I wonder if that
was 
due to overloaded connections?
-  While the process was running, you could not access regedit or the
task 
manager.
-  Booting to safe mode defeated this and allowed removal of the
registry 
keys.  Upon restart, everything is OK, which was not my expectation.

Has anyone seen this?  McAfee with DATs dated 11/5/03 did not detect 
this.  Searching for the file name at nai.com and symantec.com returned
no 
results.  Is is a part of SubSeven?

Any help would be greatly appreciated.
Jason Brooks

Jason Brooks
Information Security Technician
IITS
116 - B Coyner
Longwood University
201 High Street
Farmville, VA 23901
(434) 395-2796



More information about the unisog mailing list