• 0

worm variant infection


Question

I won't post any logs of any kind. However I will if asked by the administrators of the forum. However I do know my stuff and they are clean. Even with the most recent updates for Ad-aware,SpybotS&D,Mcafee,Norton, I have found nothing.

Yet something buried in the services is trying to connect to a nameserver which is not the 2 that my internet service provider gave to me to put in the primary and secondary locations in the connection properties.

So basically I have a programming question.

I have found code for enumerating the services and listing the modules associated

with the services, however I am not sure if I can use that information at the moment the svchost instance tries to connect to this foreign nameserver. I am also looking at code for a TDI firewall and determining how to implement a method of detection of the process and the associated module.

I believe it most likely isn't spyware or adware but a rogue variant of a worm.

There is the possibility it has attached itself to the tail end of a DLL and set it up as an overlay or it could be a dll that has set up a hook api to catch any attempt to resolve any address and then use their; (or the one written in the bad code), DNS nameserver.

So with what I have to say does anybody have any ideas?

Link to comment
Share on other sites

0 answers to this question

Recommended Posts

There have been no answers to this question yet

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.