virus or worm on our network

[mtt]

To All:

The clients on our network have been infected with a virus or worm that avast cannot detect. All clients are running avast 4.7 professional and are running Windows XP home OS. What this virus is doing is sending udp packets to a number of different hosts if it receive replies a remote access protocol takes over and sarts trying to send out mail. Has anyone ever come across this before?

Respectfully,

MTT

[Lisandro]

Isn't any related info in the firewall logs? Which program is trying to send the packets?

Maybe you could do a test in one of the computers, download, install, update and run AVG Antispyware, SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
But you can collect the information to clean the other machines.

[mtt]

Hi All,

 The following is an excerpt of the UDP packets generated by an infected machine, as captured by wireshark:

   3832 6801.190602 172.16.0.60           70.189.211.101        UDP   Source port: 19782  Destination port: 22724
   3833 6805.518933 172.16.0.60           70.189.211.101        UDP   Source port: 19782  Destination port: 22724
   3834 6808.737420 172.16.0.60           210.213.140.128       UDP   Source port: 19782  Destination port: 8155
   3835 6811.956181 172.16.0.60           84.186.113.5          UDP   Source port: 19782  Destination port: 4894
   3836 6814.065585 172.16.0.60           84.186.113.5          UDP   Source port: 19782  Destination port: 4894
   3837 6817.284353 172.16.0.60           71.228.210.232        UDP   Source port: 19782  Destination port: 22402
   3838 6824.940515 172.16.0.60           71.228.210.232        UDP   Source port: 19782  Destination port: 22402
   3839 6827.049878 172.16.0.60           70.177.208.150        UDP   Source port: 19782  Destination port: 1232
   3840 6833.596769 172.16.0.60           70.177.208.150        UDP   Source port: 19782  Destination port: 1232
   3841 6837.924859 172.16.0.60           71.153.193.87         UDP   Source port: 19782  Destination port: 11856
   3842 6845.581215 172.16.0.60           64.83.230.71          UDP   Source port: 19782  Destination port: 4972
   3843 6849.909232 172.16.0.60           64.83.230.71          UDP   Source port: 19782  Destination port: 4972
   3851 6875.315406 172.16.0.60           80.253.54.224         UDP   Source port: 19782  Destination port: 27725
   3852 6878.534207 172.16.0.60           71.153.193.87         UDP   Source port: 19782  Destination port: 11856
   3853 6880.643470 172.16.0.60           80.253.54.224         UDP   Source port: 19782  Destination port: 27725
   3854 6886.080968 172.16.0.60           68.44.148.123         UDP   Source port: 19782  Destination port: 31104
   3855 6891.518593 172.16.0.60           74.72.141.48          UDP   Source port: 19782  Destination port: 31756
   3856 6898.065346 172.16.0.60           68.44.148.123         UDP   Source port: 19782  Destination port: 31104
   3857 6900.174689 172.16.0.60           68.225.75.155         UDP   Source port: 19782  Destination port: 11363
   3858 6907.830916 172.16.0.60           68.11.225.140         UDP   Source port: 19782  Destination port: 21433

The following is a log from our PIX firewall showing attempted outbound SMTP connections from the infected machine:

Jul 2 14:26:26 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4922 dst outside:216.82.240.163/25 by access-group "spam3"
Jul 2 14:26:26 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4922 dst outside:216.82.240.163/25 by access-group "spam3"
Jul 2 14:26:33 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4927 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:34 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4927 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:34 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4927 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:35 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4929 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:35 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4929 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:36 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4929 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:37 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4934 dst outside:216.39.53.1/25 by access-group "spam3"
Jul 2 14:26:37 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4934 dst outside:216.39.53.1/25 by access-group "spam3"
Jul 2 14:26:38 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4934 dst outside:216.39.53.1/25 by access-group "spam3"
Jul 2 14:26:42 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4937 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:42 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4937 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:43 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4937 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:43 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4940 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:44 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4940 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:44 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4940 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:47 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4943 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:47 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4943 dst outside:205.188.158.121/25 by access-group "spam3"
Jul 2 14:26:48 %PIX-4-106023: Deny tcp src inside:172.16.0.60/4943 dst outside:205.188.158.121/25 by access-group "spam3"

According to netstat on the infected machine, UDP port 19782 is being used by services.exe.

A-squared failed to find anything wrong, Trend Micro and AVG antivirus both crashed, and Avast can't find anything.  Any more ideas for diagnostics?
 Respectfully, MTT

[Lisandro]

Any more ideas for diagnostics?

Full computer on-line scanning:
Kaspersky (very good detection rates)
Trendmicro housecall
AVGas (does not necessary if you have AVG antispyware installed)
F-Secure
BitDefender (free removal of the malware)
HitmanPro (new online scanner with multiply scanners)

[mauserme]

Hi mtt.  Welcome.

Let's take a deeper look at one of the infected computers.

Download ComboFix from Here or Here to your Desktop.
 
Double click combofix.exe and follow the prompts.
 
When finished, it wll produce a log for you which you can post in your next response.
 
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.



Now Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialog boxes until you get to the Select Addition Tasks dialog.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialog box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

.


Please make sure to run the scans in the order above.  Both logs should, of course, be from the same computer.

How many machines are in your network?  Will you be able to take the network down and work on the computers individually if the need arises?