Author Topic: Mail Log - Suspicios Traffic  (Read 2033 times)

0 Members and 1 Guest are viewing this topic.

Offline dcbevins

  • Newbie
  • *
  • Posts: 3
Mail Log - Suspicios Traffic
« on: April 30, 2007, 11:07:22 PM »
Hello all,

Can someone take a look at this log and tell me if the traffic looks suspicious?  I use yahoo web based mail, no pop3. I am showing maila.microsoft.com and mail01.microsoft.com and google mail servers in the log.  Is a legitimate Windows process generating this traffic or is some male ware trying to play games with smpt?  I also see traffic from akamaitechnologies.com in a TCP traffic viewer in system process, which is strange...

Thanks,

db

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: Mail Log - Suspicios Traffic
« Reply #1 on: May 01, 2007, 12:18:42 PM »
Oh, a bit more than suspicious.

There is some malware in your system hiding behind svchost.exe and using it to send spam email.  It does not succeed in all the messages it is trying to send ... but enough to serve the purposes of infecting your system. 

These spambots can often be quite hard to detect and this one is hiding behind a valid workhorse of the Windows system (svchost.exe).

Free scans such a Ewido (now AVG) and Panda come to mind.  They may show nothing.  A hijack this log may well show a malicious startup entry in your system that initiates the malware process. 
« Last Edit: May 01, 2007, 01:18:48 PM by alanrf »

Offline alanrf

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3866
  • Just an avast user
Re: Mail Log - Suspicios Traffic
« Reply #2 on: May 01, 2007, 02:43:48 PM »
Later thought ...

it is quite clever for this spambot to hide behind svchost.exe since this process requires outbound permission in those firewalls that have outbound controls.

However, if you have a firewall on your system with outbound control and since you do not use an email client you can use avast's  Internet Mail provider to your advantage to stop this spambot dead in its tracks while you hunt it down.

If you have such a firewall then remove outbound permission to ashMaiSv.exe and deny any future requests for outbound access for it.  This will not stop the spambot from running on your system but it will prevent it from sending out the spam from your system and allow you time to find and eliminate it.