Dear all,
I have been continuously receiving virus attacks from certain system in the network from some days. I could not understand the problem and how I can resolve it. Please guide me to rectify it. The following message is displaying under Anti-Hacker Tool in IDS.
12/31/2008 2:44:09 PM Intrusion.Win.NETAPI.buffer-overflow.exploit 192.168.1.12 TCP 445
12/31/2008 2:59:45 PM Intrusion.Win.NETAPI.buffer-overflow.exploit 192.168.1.218 TCP 445
Please help me.
NASIR KHAN.
Full Version: Intrusion.Win.NETAPI.buffer-overflow.exploit
Hello,
Computers having IP addresses 192.168.1.12 & 192.168.1.218 may be infected by Net Worm which are trying to propagate over your network using security holes / vulnerabilities.
Are these computers protected by KAV ? If yes, post an AVZ report of one of them.
Computers having IP addresses 192.168.1.12 & 192.168.1.218 may be infected by Net Worm which are trying to propagate over your network using security holes / vulnerabilities.
Are these computers protected by KAV ? If yes, post an AVZ report of one of them.
QUOTE(Tybilly @ 1.01.2009 23:01) 
Hello,
Computers having IP addresses 192.168.1.12 & 192.168.1.218 may be infected by Net Worm which are trying to propagate over your network using security holes / vulnerabilities.
Are these computers protected by KAV ? If yes, post an AVZ report of one of them.
Computers having IP addresses 192.168.1.12 & 192.168.1.218 may be infected by Net Worm which are trying to propagate over your network using security holes / vulnerabilities.
Are these computers protected by KAV ? If yes, post an AVZ report of one of them.
Dear Sir,
I have attached the log report generated by AVZ.
Hello,
Please try to find something like :
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OY8GXR2T\bzqix[1].jpg ( this name may be not exactly the same but similar)
or files: winbase.dll, basesvc.dll and syicon.dll into the directory %System%\Wbem\basesvc.dll.
Thank you!
Please try to find something like :
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OY8GXR2T\bzqix[1].jpg ( this name may be not exactly the same but similar)
or files: winbase.dll, basesvc.dll and syicon.dll into the directory %System%\Wbem\basesvc.dll.
Thank you!
Hello,
I can't find sign of infection in this report, moreover the "netstat" section does not show any outbound connection on remote port 445.
I advise you to run Portmon utility on affected computers to see which executable is sending packet over your network on port TCP 445.
Also does this phenomenon still occur ? It could be a False Positive in IDS database, this is an other option...
I can't find sign of infection in this report, moreover the "netstat" section does not show any outbound connection on remote port 445.
I advise you to run Portmon utility on affected computers to see which executable is sending packet over your network on port TCP 445.
Also does this phenomenon still occur ? It could be a False Positive in IDS database, this is an other option...
QUOTE(Tybilly @ 2.01.2009 13:26)
Also does this phenomenon still occur ? It could be a False Positive in IDS database, this is an other option...
It is unlikely in this case ;-)
Ok then I guess you're working for KL HQ and that you're right. 
@Nasir Khan, you just need to update threat definitions on all your computers and the problem will disappear.
@Nasir Khan, you just need to update threat definitions on all your computers and the problem will disappear.
Hi Sir
i found many user had infected this Net-worm in TH because they did not install latest Microsoft patch!
First of all, How to know that which computer is still infected
1. Using Netstat -an command, you will see many connection to other IP-address destination by port 445
2. if use some network monitor program (such as a port, active port), will see many svchost.exe service is sending many packet to other IP-address by port 445
3. May has unknown service in services.msc, (not have any information such as description, status, startup type. all column are blank)
How to protect and clean from Networm
1. Must install latest Microsoft patch on every computers: http://www.microsoft.com/technet/security/...n/MS08-067.mspx (Must install each patch for suitable OS and restart)
2.1 If you are using Kaspersky AV, can choose one of following ways
-Update virus signature, Reboot in Safemode!, Scan virus in critical area or mycomputer. (.dll is locate in system32)
-Update virus signature, Reboot and Scan by BartPE with KAV CD-Rom in PEmode.
*** Can not detected by Kaspersky Lab in Normal mode because the virus having hook into svchost.exe. If you can not restart computer (server), you must unhook the virus out of svchost.exe by using "Unlocker" program.
2.2 if you do not use Kaspersky, you must delete all infecting file by manual in regedit. see in detail here
-go to HKLM>software>microsoft>winnt>currentversion>svchost
-see at right panel of svchost, double-click at value name “netsvcs"
-see at last line in new dialog, find random name of virus such as rbydwcit, ukcsbkgc in last line. Delete virus name from value data dialog
-remember "virus name" that you found from above
-go to HKLM>system>controlset001>services>"virus name">parameters
-see at right panel of parameters, find random.dll file (such as ydrarqme.dll). Delete HKLM>system>controlset001>services>"virus name".
-remember ".dll file" that you found from above
-go to c:\windows\system32
-find "random.dll". Delete .dll in Safemode. (If you can not restart computer (server), you must unhook the virus first by using "Unlocker" program)
Gd Luck
i found many user had infected this Net-worm in TH because they did not install latest Microsoft patch!
First of all, How to know that which computer is still infected
1. Using Netstat -an command, you will see many connection to other IP-address destination by port 445
2. if use some network monitor program (such as a port, active port), will see many svchost.exe service is sending many packet to other IP-address by port 445
3. May has unknown service in services.msc, (not have any information such as description, status, startup type. all column are blank)
How to protect and clean from Networm
1. Must install latest Microsoft patch on every computers: http://www.microsoft.com/technet/security/...n/MS08-067.mspx (Must install each patch for suitable OS and restart)
2.1 If you are using Kaspersky AV, can choose one of following ways
-Update virus signature, Reboot in Safemode!, Scan virus in critical area or mycomputer. (.dll is locate in system32)
-Update virus signature, Reboot and Scan by BartPE with KAV CD-Rom in PEmode.
*** Can not detected by Kaspersky Lab in Normal mode because the virus having hook into svchost.exe. If you can not restart computer (server), you must unhook the virus out of svchost.exe by using "Unlocker" program.
2.2 if you do not use Kaspersky, you must delete all infecting file by manual in regedit. see in detail here
-go to HKLM>software>microsoft>winnt>currentversion>svchost
-see at right panel of svchost, double-click at value name “netsvcs"
-see at last line in new dialog, find random name of virus such as rbydwcit, ukcsbkgc in last line. Delete virus name from value data dialog
-remember "virus name" that you found from above
-go to HKLM>system>controlset001>services>"virus name">parameters
-see at right panel of parameters, find random.dll file (such as ydrarqme.dll). Delete HKLM>system>controlset001>services>"virus name".
-remember ".dll file" that you found from above
-go to c:\windows\system32
-find "random.dll". Delete .dll in Safemode. (If you can not restart computer (server), you must unhook the virus first by using "Unlocker" program)
Gd Luck
@vee_zza
Great solution for all infected users! :-)
Thank You!
Great solution for all infected users! :-)
Thank You!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.