i got infected with a backdoor trojan - interesting observation...

[TuffGuy]

A couple of weeks ago I had to reformat my drive and I forgot to install NAV and ZoneAlarm. A few days ago my CuteFTP stopped working. So I installed ZoneAlarm and NAV today. The file C:\windows\system\winlogon.exe keeps trying to access the internet. It's destination address is 207.68.172.253:HTTP. Looking that up I get:

Whois information for 207.68.172.253


NETWORK: NETBLK-MSN-BLK [20480]
MSN (NETBLK-MSN-BLK)
One Redmond Way
Redmond, WA 98052
US

Netname: MSN-BLK
Netblock: 207.68.128.0 - 207.68.207.255
Maintainer: MSN

Coordinator:
Microsoft (ZM39-ARIN) noc@microsoft.com
425-936-4200

Domain System inverse mapping provided by:

DNS1.CP.MSFT.NET 207.46.138.20
DNS2.CP.MSFT.NET 207.46.138.21
DNS1.TK.MSFT.NET 207.46.232.37
DNS1.DC.MSFT.NET 207.68.128.151
DNS1.SJ.MSFT.NET 207.46.97.11

Record last updated on 20-Jun-2001.
Database last updated on 24-Feb-2002 19:56:16 EDT.

hmmm...

 

[Maleficus]

you should guard your backdoor more closely! alot of um yea those type of people around.

 

[TuffGuy]

The interesting thing is that it's trying to contact Microsoft...

 

[bacillus]

I do believe wmp8 calls home at times!
other than that, have you set windows to automatically look for updates.

 

[Lithium381]

<< The interesting thing is that it's trying to contact Microsoft... >>



yeah, that's strange, i think i'll go install my copy of zonealarm, which i neglected to install when i formated my HD a week and a half ago....

 

[loup garou]

Uh...it's probably WMP or Windows Update...

 

[MustPost]

Oh, good, you were talking about computers. I thought you were talking about another kind of trojan

 

[LiQiCE]

Are you running Windows XP? As far as I know the Active Registration System (you know, the thing that you use to "Activate" your copy of Windows XP) which is partially contained in winlogon.exe checks to make sure your registration is still valid by using the Internet.

Could that be whats trying to connect to Microsoft's servers? If so, then I would think its acting normal.

 

[BillGates]

You didn't mention what version of Windows you're using....but I have "heard" that with some versions of FreeWindows XP you have to replace the winlogon.exe with a cracked version.....

Is this XP - and is it trying to call home to do the lovely product activation??

(I've heard the above things, I still use Windows 3.1 - leave me alone.)

 

[loup garou]

<< I still use Windows 3.1 >>


WOW! Old school!

 

[BillGates]

Whoops, sorry I echoed you there....I had my browser with this topic up for a while, should have refreshed before replying.

 

[joohang]

You sure that's Microsoft?

The address is wrong. It should be One Microsoft Way. And there are no sites up at MSFT.NET.

Could be some idiot pretending to be Microsoft.

 

[BillGates]

Crap, forgot to turn on the sarcasm button again.

 

[loup garou]

<< Crap, forgot to turn on the sarcasm button again. >>


Hehe...my fault...forgot to turn on my sarcasm detector.

 

[TuffGuy]

Well, I'm using that free version of WinXP that doesn't require activation...

Anyway, I just finished doing the scan/removal in safe mode. 70,000+ files take a while to process. anyway, I found two viruses: backdoor.trojan and backdoor.bionet.318.

---

Take a week elsewhere to work some extra hours and buy yourself a legal copy of your OS <wink> <wink>.

AnandTech Moderator

 

[GTaudiophile]

wmplayer.exe always tries to call home to MS whenever I run the program.

Isn't ZoneAlarm the best?

 

[loup garou]

<< Well, I'm using that free version of WinXP that doesn't require activation... >>


Well if you're using a warezed version of XP, I wouldn't doubt that it has virii installed with it.

 

[GTaudiophile]

There is an legit version of that too!

 

[TuffGuy]

ZoneAlarm has that cool feature where it shows each application that tries to access the internet. WMP wasn't the culprit on my computer. Anyway, more info on the viruses:

backdoor.bionet.318

backdoor.trojan

 

[Fritzo]

<< i got infected with a backdoor trojan >>



Heheheheheh....sounds like a homosexual condom What happened...did it break?

 

[Hossenfeffer]

<< Well, I'm using that free version of WinXP that doesn't require activation... >>

Hmm. That free version... wasn't aware that Microsoft had been marketing a free version.