[nznog] unknown strain of virus - Windows 2000 PC's auto generatingicmppacketfloods

23 Oct 2003


      Thanks everyone for your help

    I think it was some wiered strain of Blaster, Naichi or something. In
either case all the affected machines would stop pinging if all instances of
internet explorer, MSN messenger and outlook express were killed. All
affected machines hapenned to have MSN messenger version 5.0. MSN messenger
processes could not be killed as they were in use by something unknown other
than MSN messenger. But after uninstalling MSN messenger as long as internet
explorer was not launched the machines would behave.
    We couldn't get to the bottom of it so we wiped the affected machines
and reinstalled them. Also over 3 days it did not spread to any other
machine on the network besides the 13 infected ones. Finally once the
machines were reinstalled the flood of icmp packets from the Internet side
stopped as well.
    Maybe it was a new virus written by someone on the inside of the
network. Maybe some kind of Internet Explorer BHO ? I got no clue but I'm
glad it's over. Once again thanks to everyone for their invaluable help.

    Cheers

    Tikiri

----- Original Message ----- 
From: "Tikiri Wicks" 
To: "Steven Schmidt" ; 
Sent: Thursday, October 23, 2003 1:54 PM
Subject: Re: [nznog] Not a virus - Windows 2000 PC's auto
generatingicmppacketfloods
...
My apologies if this is really off topic for this list. I'm just deperate
for help.
Right now I can contain it by blocking ICMP at the central routers.
However
we are now getting bombed from the Internet side with icmp packets very
simillar to what we are seeing on the internal network. ICMP packets per
second recieved from the Internet side looks like it's growing.
I dumped the contents of a number of the packets and it is all random
binary
data. Contents of one packet is attached.
used  tcpdump -i eth1 -w testcap -c 1 icmp
This network is a WAN encompassing almost all the PC's at the government
of
Seychelles.
There are two distict behaviours.
some of the machines are incrementally pinging counting through IP's while
others are just pinging at random
Incremental counting example
Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.58
172.21.219.1  echo req
      Wed Oct 22 10:06:48 2003  ICMP  eth1  92 bytes   172.20.13.58
172.21.219.10  echo req
      Wed Oct 22 10:06:48 2003  ICMP  eth1  92 bytes   172.20.13.58
172.21.219.100  echo req
      Wed Oct 22 10:06:48 2003  ICMP  eth1  92 bytes   172.20.13.58
172.21.219.101  echo req
      Wed Oct 22 10:06:48 2003  ICMP  eth1  92 bytes   172.20.13.58
172.21.219.102  echo req
      Wed Oct 22 10:06:48 2003  ICMP  eth1  92 bytes   172.20.13.58
172.21.219.103  echo req
      Wed Oct 22 10:06:48 2003  ICMP  eth1  92 bytes   172.20.13.58
172.21.219.104  echo req
      Wed Oct 22 10:06:49 2003  ICMP  eth1  92 bytes   172.20.13.58
172.21.219.105  echo req
      Wed Oct 22 10:06:49 2003  ICMP  eth1  92 bytes   172.20.13.58
172.21.219.106  echo req
      Wed Oct 22 10:06:49 2003  ICMP  eth1  92 bytes   172.20.13.58
172.21.219.107  echo req
      Wed Oct 22 10:06:49 2003  ICMP  eth1  92 bytes   172.20.13.58
172.21.219.108  echo req
      Wed Oct 22 10:06:49 2003  ICMP  eth1  92 bytes   172.20.13.58
172.21.219.109  echo req
This is a list of packets generated to random IP's by one of the buggered
machines within one second.
Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
134.201.148.92  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
134.245.149.187  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
134.6.35.67  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
134.80.86.18  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
135.106.165.163  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
135.121.107.85  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
135.156.232.33  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
135.171.152.120  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
135.21.78.74  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
135.232.78.121  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
135.24.134.106  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
135.249.194.105  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
135.6.250.118  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
135.90.48.142  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
136.193.190.190  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
136.2.207.62  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
136.205.182.175  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
136.219.249.129  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
136.224.49.245  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
136.236.246.88  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
136.249.217.60  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
136.43.157.84  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
137.1.24.83  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
137.116.252.40  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
137.12.26.164  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
137.203.34.244  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
138.86.164.87  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
138.98.156.15  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
138.99.237.131  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
139.114.18.154  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
139.115.153.166  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
139.140.147.214  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
139.224.2.109  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
140.16.1.95  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
140.218.126.39  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
140.22.209.12  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
140.243.246.117  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
140.68.153.239  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
140.72.181.149  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
140.91.46.230  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
141.183.123.247  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
141.225.101.23  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
141.27.59.2  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
141.69.172.112  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
142.17.7.249  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
142.52.236.154  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
143.105.255.186  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
143.11.183.189  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
143.150.2.179  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
143.30.245.9  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
143.32.107.116  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
143.37.124.54  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
144.160.111.25  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
144.180.159.246  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
144.207.201.216  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
144.50.13.114  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
144.70.56.193  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
145.106.19.158  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
145.124.87.240  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
145.157.43.22  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
145.21.185.29  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
145.236.203.9  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
145.41.210.106  echo req
      Wed Oct 22 10:06:47 2003  ICMP  eth1  92 bytes   172.20.13.111
145.68.213.68  echo req
----- Original Message ----- 
From: "Steven Schmidt" 
To: 
Sent: Thursday, October 23, 2003 12:24 PM
Subject: Re: [nznog] Not a virus - Windows 2000 PC's auto generating
icmppacketfloods
...
Hi Tikiri,
Are you able to dump a packet.
Most worms etc. have a identifing stream.  i.e. Nachi had hex 'a'.
Cheers
Steve.
----- Original Message ----- 
From: "Tikiri Wicks" 
To: 
Sent: Wednesday, October 22, 2003 11:15 PM
Subject: [nznog] Not a virus - Windows 2000 PC's auto generating icmp
packetfloods
...
Thanks for the feedback so far but it's not viruses.
Virus checks turned up nothing and it's definitely not the blaster
virusas
all the machines were patched for that when it came out. I've used
both
Norton as well as F-Secure to check the PC's but nothing turns up
There is nothing special about these PC's either. Standard build of
windows
2000 and most probably installed from the same disk set.
Master Browser discovery ??? but that I thought was netbios
Still hunting :-(
----- Original Message ----- 
From: "Tikiri Wicks" 
To: 
Sent: Wednesday, October 22, 2003 10:47 PM
Subject: [nznog] Windows 2000 PC's auto generating icmp packet floods
...
Hi
Just wondering if anyone can shed some light on this. 13 PC's in
a
network of about 300 PC's keep incrementally pinging everything in
their
netmask
For example PC with IP 172.20.10.2 will start pinging
172.20.10.1
and
ping all the way upto 172.20.10.255. Then it starts over
    These are all windows 2000 machines and each one is generating
about
a
hundred icmp packets per second incrementally counting through every
destination IP in their netmask. If I change one of the machines
netmask
to
/16 then it starts pinging everything in that entire class b
starting
at
1.1
and incrementally counting upto the top. These are all normal
windows
2000
PC's
Does anyone have an idea on this ???
Cheers
Tikiri
_______________________________________________
NZNOG mailing list
NZNOG(a)list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________
NZNOG mailing list
NZNOG(a)list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog
-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
NZNOG mailing list
NZNOG(a)list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog
----------------------------------------------------------------------------
----
...
_______________________________________________
NZNOG mailing list
NZNOG(a)list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog