Hi All,
The following is an excerpt of the UDP packets generated by an infected machine, as captured by wireshark:
3832 6801.190602 172.16.0.60 70.189.211.101 UDP Source port: 19782 Destination port: 22724
3833 6805.518933 172.16.0.60 70.189.211.101 UDP Source port: 19782 Destination port: 22724
3834 6808.737420 172.16.0.60 210.213.140.128 UDP Source port: 19782 Destination port: 8155
3835 6811.956181 172.16.0.60 84.186.113.5 UDP Source port: 19782 Destination port: 4894
3836 6814.065585 172.16.0.60 84.186.113.5 UDP Source port: 19782 Destination port: 4894
3837 6817.284353 172.16.0.60 71.228.210.232 UDP Source port: 19782 Destination port: 22402
3838 6824.940515 172.16.0.60 71.228.210.232 UDP Source port: 19782 Destination port: 22402
3839 6827.049878 172.16.0.60 70.177.208.150 UDP Source port: 19782 Destination port: 1232
3840 6833.596769 172.16.0.60 70.177.208.150 UDP Source port: 19782 Destination port: 1232
3841 6837.924859 172.16.0.60 71.153.193.87 UDP Source port: 19782 Destination port: 11856
3842 6845.581215 172.16.0.60 64.83.230.71 UDP Source port: 19782 Destination port: 4972
3843 6849.909232 172.16.0.60 64.83.230.71 UDP Source port: 19782 Destination port: 4972
3851 6875.315406 172.16.0.60 80.253.54.224 UDP Source port: 19782 Destination port: 27725
3852 6878.534207 172.16.0.60 71.153.193.87 UDP Source port: 19782 Destination port: 11856
3853 6880.643470 172.16.0.60 80.253.54.224 UDP Source port: 19782 Destination port: 27725
3854 6886.080968 172.16.0.60 68.44.148.123 UDP Source port: 19782 Destination port: 31104
3855 6891.518593 172.16.0.60 74.72.141.48 UDP Source port: 19782 Destination port: 31756
3856 6898.065346 172.16.0.60 68.44.148.123 UDP Source port: 19782 Destination port: 31104
3857 6900.174689 172.16.0.60 68.225.75.155 UDP Source port: 19782 Destination port: 11363
3858 6907.830916 172.16.0.60 68.11.225.140 UDP Source port: 19782 Destination port: 21433
The following is a log from our PIX firewall showing attempted outbound SMTP connections from the infected machine:
Jul 2 14:26:26 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4922 dst outside:216.82.240.163/25 by access-group "spam3"
Jul 2 14:26:26 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4922 dst outside:216.82.240.163/25 by access-group "spam3"
Jul 2 14:26:33 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4927 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:34 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4927 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:34 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4927 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:35 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4929 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:35 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4929 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:36 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4929 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:37 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4934 dst outside:216.39.53.1/25 by access-group "spam3"
Jul 2 14:26:37 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4934 dst outside:216.39.53.1/25 by access-group "spam3"
Jul 2 14:26:38 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4934 dst outside:216.39.53.1/25 by access-group "spam3"
Jul 2 14:26:42 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4937 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:42 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4937 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:43 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4937 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:43 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4940 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:44 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4940 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:44 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4940 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:47 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4943 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:47 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4943 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:48 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4943 dst outside:205.188.158.121/25 by access-group "spam3"
According to netstat on the infected machine, UDP port 19782 is being used by services.exe.
A-squared failed to find anything wrong, Trend Micro and AVG antivirus both crashed, and Avast can't find anything. Any more ideas for diagnostics?
Respectfully, MTT