Possible malware: scrnsave.scr?

[neiby]

I have never seen this happen before and I'm wondering if my PC is infected with something. Beginning just a few moments ago, my firewall software indicated that scrnsave.scr was trying to access the internet. I've never, ever seen my screen saver--a Windows screen saver, mind you--try to access the internet. It's trying to access 207.138.126.136 on port 80, but I don't know what's at that address. I tried browsing to it but it has no index page.

I really think this is strange behavior. What do you all think?

Thanks,
John

[DavidR]

I assume you downloaded this screen saver ?
What is your firewall ?
Screen saver downloads are potentially the ones lilly to come with a gift you didn't want unless downloaded from a reputable site. Where did you get it ?

It looks like you have jot a trojan.

A whois search for the IP returns this (see below), it looks like that is an ISP provider does anything look familiar about it ?

IP:        207.138.126.136

Querying whois.arin.net:43 for 207.138.126.136...

OrgName:    Global Crossing
OrgID:      GBLX
Address:    14605 South 50th Street
City:       Phoenix
StateProv:  AZ
PostalCode: 85044-6471
Country:    US

ReferralServer: rwhois://rwhois.gblx.net:4321

NetRange:   207.138.0.0 - 207.138.255.255
CIDR:       207.138.0.0/16
NetName:    GBLX-8
NetHandle:  NET-207-138-0-0-1
Parent:     NET-207-0-0-0-0
NetType:    Direct Allocation
NameServer: NAME.ROC.GBLX.NET
NameServer: NAME.PHX.GBLX.NET
NameServer: NAME.SNV.GBLX.NET
NameServer: NAME.JFK1.GBLX.NET
Comment:    THESE ADDRESSES ARE NON-PORTABLE
RegDate:    1996-05-20
Updated:    2005-03-02

RTechHandle: IA12-ORG-ARIN
RTechName:   GBLX-IPADMIN
RTechPhone:  +1-800-404-7714

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode, Ewido anti-spyware If using winXP. or a-Squared free if using win98/ME.

[neiby]

I did not download a screensaver. I'm using a basic blank screen provided by Windows XP. That's what makes this even stranger. I've never seen this application try to access the internet. I did a boot-time scan with avast and it found nothing. I'll try the other options you suggested.

[polonus]

Hi neiby,

Did you order something from FedEx, the url is there track Shipments page. If you do not want it to bother you, put it into your hostfile like 127.0.0.1 207.138.126.136

polonus

[DavidR]

What about the other questions, firewall, recognise the whois details ?

@ polonus
How did you work that the IP address is for FedEx the whois doesn't show that and http :// 207.138.126.136 comes up page can't be found (http 400 bad request) in Maxthon and Invalid URL in firefox.

[neiby]

I'm currently using the Comodo Personal Firewall.

I have not ordered anything from FedEx. Even if I had, why would my screensaver be trying to access their website? This is really strange.

I just ran a scan with Ewido and it didn't find anything but a bunch of tracking cookies. I'll see what other scanning tools I can find. I've got Spy Sweeper, Spybot S&D, and AdAware and I ran all three just a couple of nights ago and they didn't report anything out of the ordinary.

[polonus]

Hello DavidR and neiby,

I must have crafted that badly, well everyone is entitled to a misnomer once in a while. OK to get back at the question at hand, the site is an AKAMAI server, look here for where the bad request is returned from:
http://centralops.net/co/DomainDossier.aspx?dom_whois=true&net_whois=true&traceroute=true&dom_dns=true&svc_scan=true&addr=http%3a%2f%2f207.138.126.136%2f

Gonna have a look with intellitamper what is out there,

polonus

[DavidR]

A screensaver should have no reason to connect to the internet and as such I would have thought it wouldn't have the functionality.

So I have no idea what might cause it to try to connect, the only thing that springs to mind is process injection, inserting code into a running process, but many firewall see this as a change to the process in memory and block it.

Now what the firewall might call that in either the logs or warning pop-up is anyone's guess. I thought SpySweeper was meant to be able to detect process injection also.

[DavidR]

OK to get back at the question at hand, the site is an AKAMAI server, look here for where the bad request is returned from:
http://centralops.net/co/DomainDossier.aspx?dom_whois=true&net_whois=true&traceroute=true&dom_dns=true&svc_scan=true&addr=http%3a%2f%2f207.138.126.136%2f

Gonna have a look with intellitamper what is out there,

The link returns basically what I posted above, from a handy little program win32whois.exe http://www.gena01.com/win32whois/ that can query all the whois locations

[neiby]

The firewall was basically alerting me to the fact that a process that has never previously contacted the Internet was making an attempt. I have it configured such that I have to manually allow processes to make outgoing connections. I didn't allow it because it doesn't make any sense to me. I still haven't found any evidence of malware on my PC, though. Very weird.

[DavidR]

In my firewall there is a 'hidden process check', with the option to Allow, Block or Prompt. On Prompt, any program launching another program is detected a warning you can see which program launched it.  I was hoping your firewall might have a similar process and not just a new program tried to connect.

It also has a Process Memory Control, to stop malicious programs altering the code of processes running in memory from gaining network access.

Several Trojan horses and viruses use sophisticated techniques that let them alter the code of trusted applications running in memory and thereby bypass the system security perimeter and perform their malicious activities. This is also known as code injection or copycat vulnerability.

enables you to control the functions that can be used to write malicious code into trusted application address space and so prevent a rogue process from injecting their code into trusted processes.

So as you say very weird as that screensaver function should have no requirement or means to connect to the internet under normal circumstances.

[neiby]

This firewall has that same feature. It did not appear that some other program was using scrnsave.scr. It looked like it was doing it directly. However, it did mention that the parent process was winlogon.exe, but I think that was because winlogon.exe was the process that started scrnsave.scr.

So far, I've done scans with Spy Sweeper, Adaware, Spybot S&D, Ewido, and Avast and I haven't found anything. I really have no idea what's going on. I also have not seen the screensaver attempt to access the Internet since the two attempts yesterday.

[DavidR]

Did it say what the location was of winlogon.exe as this in the past has been used as a file name by malware. A google search for winlogon.exe returns many hit some refer to malware.

http://www.liutilities.com/products/wintaskspro/processlibrary/winlogon/
http://www.neuber.com/taskmanager/process/winlogon.exe.html
http://www.hardavenue.com/startup/winlogon.exe.php
etc., etc.

Why winlogon.exe genuine would want to access the internet and if so why use scrnsave.scr is to say the least weird.
Also see Hidden things http://invisiblethings.org

It may be worth running HiJackThis, if you have it to see what is running.