Anyone have any info on this ?

Anyone have any info on this ?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Anti-Virus Software    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Anyone have any info on this ? isaidpilot 12-18-2005
Posted by on December 18, 2005, 8:23 am
If you were  Registered and logged in, you could reply and use other advanced thread options

Does anyone have any information on the packet decoded below or any
comments please? (no I dont have netmeeting or netmessenger installed)

Also any info on domain 221.x.x.x ?

-Pontius-

------------------------------------------------------------------


Frame 1 (499 bytes on wire, 499 bytes captured)
Frame is marked: False
Arrival Time: Dec 18, 2005 13:15:08.810603000
Time delta from previous packet: -145.991849000 seconds
Time since reference or first frame: 745.459385000 seconds
Frame Number: 1
Packet Length: 499 bytes
Capture Length: 499 bytes
Protocols in frame: eth:ip:udp:dcerpc
Ethernet II, Src: 20:53:52:43:00:00, Dst: 44:45:53:54:00:00
Destination: 44:45:53:54:00:00 (Microsof_54:00:00)
Source: 20:53:52:43:00:00 (20:53:52:43:00:00)
Source or Destination Address: 44:45:53:54:00:00 (Microsof_54:00:00)
Source or Destination Address: 20:53:52:43:00:00 (20:53:52:43:00:00)
Type: IP (0x0800)
Internet Protocol, Src Addr: 221.6.163.50 (221.6.163.50), Dst Addr:
216.37.208.8 (216.37.208.8)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 485
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 44
Protocol: UDP (0x11)
Header checksum: 0x2796 (correct)
Source: 221.6.163.50 (221.6.163.50)
Source or Destination Address: 221.6.163.50 (221.6.163.50)
Destination: 216.37.208.8 (216.37.208.8)
Source or Destination Address: 216.37.208.8 (216.37.208.8)
User Datagram Protocol, Src Port: 48181 (48181), Dst Port: 1027 (1027)
Source port: 48181 (48181)
Destination port: 1027 (1027)
Source or Destination Port: 48181
Source or Destination Port: 1027
Length: 465
Checksum: 0x4b90 (correct)
DCE RPC
Version: 4
Packet type: Request (0)
Flags1: 0x28
0... .... = Reserved: Not set
.0.. .... = Broadcast: Not set
..1. .... = Idempotent: Set
...0 .... = Maybe: Not set
.... 1... = No Fack: Set
.... .0.. = Fragment: Not set
.... ..0. = Last Fragment: Not set
.... ...0 = Reserved: Not set
Flags2: 0x00
0... .... = Reserved: Not set
.0.. .... = Reserved: Not set
..0. .... = Reserved: Not set
...0 .... = Reserved: Not set
.... 0... = Reserved: Not set
.... .0.. = Reserved: Not set
.... ..0. = Cancel Pending: Not set
.... ...0 = Reserved: Not set
Data Representation: 100000
Byte order: Little-endian (1)
Character: ASCII (0)
Floating-point: IEEE (0)
Serial High: 0x00
Object UUID: 00000000-0000-0000-0000-000000000000
Interface: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
Activity: 86cad260-5364-4cdb-d4af-0873dc51628e
Server boot time: Unknown (0)
Interface Ver: 1
Sequence num: 0
Opnum: 0
Interface Hint: 0xffff
Activity Hint: 0xffff
Fragment len: 377
Fragment num: 0
Auth proto: None (0)
Serial Low: 0x00
Microsoft Messenger Service, NetrSendMessage
Operation: NetrSendMessage (0)
Server
Max Count: 16
Offset: 0
Actual Count: 16
Server: FROM
Client
Max Count: 16
Offset: 0
Actual Count: 16
Client: TO
Message
Max Count: 309
Offset: 0
Actual Count: 309
Message: STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.\n\nWindows
has found 55 Critical System Errors.\n\nTo fix the errors please do the
following:\n\n1. Download Registry Update from: www.regfixit.com\n2.
Install Registry Update\n3. Run Re

0000: 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 DEST.. SRC....E.
0010: 01 E5 00 00 40 00 2C 11 27 96 DD 06 A3 32 D5 30 ....@.,.'....2.0
0020: D0 08 BC 35 04 03 01 D1 4B 90 04 00 28 00 10 00 ...5....K...(...
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040: 00 00 F8 91 7B 5A 00 FF D0 11 A9 B2 00 C0 4F B6 ....{Z........O.
0050: E6 FC 60 D2 CA 86 64 53 DB 4C D4 AF 08 73 DC 51 ..`...dS.L...s.Q
0060: 62 8E 00 00 00 00 01 00 00 00 00 00 00 00 00 00 b...............
0070: FF FF FF FF 79 01 00 00 00 00 10 00 00 00 00 00 ....y...........
0080: 00 00 10 00 00 00 46 52 4F 4D 00 00 00 00 00 00 ......FROM......
0090: 00 00 00 00 00 00 10 00 00 00 00 00 00 00 10 00 ................
00A0: 00 00 54 4F 00 00 00 00 00 00 00 00 00 00 00 00 ..TO............
00B0: 00 00 35 01 00 00 00 00 00 00 35 01 00 00 53 54 ..5.......5...ST
00C0: 4F 50 21 20 57 49 4E 44 4F 57 53 20 52 45 51 55 OP! WINDOWS REQU
00D0: 49 52 45 53 20 49 4D 4D 45 44 49 41 54 45 20 41 IRES IMMEDIATE A
00E0: 54 54 45 4E 54 49 4F 4E 2E 0A 0A 57 69 6E 64 6F TTENTION...Windo
00F0: 77 73 20 68 61 73 20 66 6F 75 6E 64 20 35 35 20 ws has found 55
0100: 43 72 69 74 69 63 61 6C 20 53 79 73 74 65 6D 20 Critical System
0110: 45 72 72 6F 72 73 2E 0A 0A 54 6F 20 66 69 78 20 Errors...To fix
0120: 74 68 65 20 65 72 72 6F 72 73 20 70 6C 65 61 73 the errors pleas
0130: 65 20 64 6F 20 74 68 65 20 66 6F 6C 6C 6F 77 69 e do the followi
0140: 6E 67 3A 0A 0A 31 2E 20 44 6F 77 6E 6C 6F 61 64 ng:..1. Download
0150: 20 52 65 67 69 73 74 72 79 20 55 70 64 61 74 65 Registry Update
0160: 20 66 72 6F 6D 3A 20 77 77 77 2E 72 65 67 66 69 from: www.regfi
0170: 78 69 74 2E 63 6F 6D 0A 32 2E 20 49 6E 73 74 61 xit.com.2. Insta
0180: 6C 6C 20 52 65 67 69 73 74 72 79 20 55 70 64 61 ll Registry Upda
0190: 74 65 0A 33 2E 20 52 75 6E 20 52 65 67 69 73 74 te.3. Run Regist
01A0: 72 79 20 55 70 64 61 74 65 0A 34 2E 20 52 65 62 ry Update.4. Reb
01B0: 6F 6F 74 20 79 6F 75 72 20 63 6F 6D 70 75 74 65 oot your compute
01C0: 72 0A 0A 46 41 49 4C 55 52 45 20 54 4F 20 41 43 r..FAILURE TO AC
01D0: 54 20 4E 4F 57 20 4D 41 59 20 4C 45 41 44 20 54 T NOW MAY LEAD T
01E0: 4F 20 53 59 53 54 45 4D 20 46 41 49 4C 55 52 45 O SYSTEM FAILURE
01F0: 21 0A 00 !..

Posted by David H. Lipman on December 18, 2005, 11:18 am
If you were  Registered and logged in, you could reply and use other advanced thread options

|
| Does anyone have any information on the packet decoded below or any
| comments please? (no I dont have netmeeting or netmessenger installed)
|
| Also any info on domain 221.x.x.x ?
|
| -Pontius-
|
| ------------------------------------------------------------------

< snip >

| Message: STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.\n\nWindows
| has found 55 Critical System Errors.\n\nTo fix the errors please do the
| following:\n\n1. Download Registry Update from: www.regfixit.com\n2.
| Install Registry Update\n3. Run Re
|
| 0000: 44 45 53 54 00 00 20 53 52 43 00 00 08 00 45 00 DEST.. SRC....E.
| 0010: 01 E5 00 00 40 00 2C 11 27 96 DD 06 A3 32 D5 30 ....@.,.'....2.0
| 0020: D0 08 BC 35 04 03 01 D1 4B 90 04 00 28 00 10 00 ...5....K...(...
| 0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
| 0040: 00 00 F8 91 7B 5A 00 FF D0 11 A9 B2 00 C0 4F B6 ....{Z........O.
| 0050: E6 FC 60 D2 CA 86 64 53 DB 4C D4 AF 08 73 DC 51 ..`...dS.L...s.Q
| 0060: 62 8E 00 00 00 00 01 00 00 00 00 00 00 00 00 00 b...............
| 0070: FF FF FF FF 79 01 00 00 00 00 10 00 00 00 00 00 ....y...........
| 0080: 00 00 10 00 00 00 46 52 4F 4D 00 00 00 00 00 00 ......FROM......
| 0090: 00 00 00 00 00 00 10 00 00 00 00 00 00 00 10 00 ................
| 00A0: 00 00 54 4F 00 00 00 00 00 00 00 00 00 00 00 00 ..TO............
| 00B0: 00 00 35 01 00 00 00 00 00 00 35 01 00 00 53 54 ..5.......5...ST
| 00C0: 4F 50 21 20 57 49 4E 44 4F 57 53 20 52 45 51 55 OP! WINDOWS REQU
| 00D0: 49 52 45 53 20 49 4D 4D 45 44 49 41 54 45 20 41 IRES IMMEDIATE A
| 00E0: 54 54 45 4E 54 49 4F 4E 2E 0A 0A 57 69 6E 64 6F TTENTION...Windo
| 00F0: 77 73 20 68 61 73 20 66 6F 75 6E 64 20 35 35 20 ws has found 55
| 0100: 43 72 69 74 69 63 61 6C 20 53 79 73 74 65 6D 20 Critical System
| 0110: 45 72 72 6F 72 73 2E 0A 0A 54 6F 20 66 69 78 20 Errors...To fix
| 0120: 74 68 65 20 65 72 72 6F 72 73 20 70 6C 65 61 73 the errors pleas
| 0130: 65 20 64 6F 20 74 68 65 20 66 6F 6C 6C 6F 77 69 e do the followi
| 0140: 6E 67 3A 0A 0A 31 2E 20 44 6F 77 6E 6C 6F 61 64 ng:..1. Download
| 0150: 20 52 65 67 69 73 74 72 79 20 55 70 64 61 74 65 Registry Update
| 0160: 20 66 72 6F 6D 3A 20 77 77 77 2E 72 65 67 66 69 from: www.regfi
| 0170: 78 69 74 2E 63 6F 6D 0A 32 2E 20 49 6E 73 74 61 xit.com.2. Insta
| 0180: 6C 6C 20 52 65 67 69 73 74 72 79 20 55 70 64 61 ll Registry Upda
| 0190: 74 65 0A 33 2E 20 52 75 6E 20 52 65 67 69 73 74 te.3. Run Regist
| 01A0: 72 79 20 55 70 64 61 74 65 0A 34 2E 20 52 65 62 ry Update.4. Reb
| 01B0: 6F 6F 74 20 79 6F 75 72 20 63 6F 6D 70 75 74 65 oot your compute
| 01C0: 72 0A 0A 46 41 49 4C 55 52 45 20 54 4F 20 41 43 r..FAILURE TO AC
| 01D0: 54 20 4E 4F 57 20 4D 41 59 20 4C 45 41 44 20 54 T NOW MAY LEAD T
| 01E0: 4F 20 53 59 53 54 45 4D 20 46 41 49 4C 55 52 45 O SYSTEM FAILURE
| 01F0: 21 0A 00 !..

Based upon the text it looks like a Windows "Messenger Service" Pop-Up. There
have been
reports of it being send via UDP.

To disable the Windows Messenger Service, you can open a Command Prompt and type
the
following commands...

sc stop Messenger
sc config Messenger start= disabled

A Router such as the Linksys BEFSR41 will also block this at the WAN/LAN
interface and such
messages won't be seen on a LAN PC.

221.6.163.50

inetnum: 221.6.163.0 - 221.6.163.63
netname: YZZXYH-COM
country: CN
descr: YZZXYH-COM,YANGZHOU,JIANGSU Province
admin-c: LL58-AP
tech-c: LL58-AP
status: ASSIGNED NON-PORTABLE
changed: **@jsnetcom.com 20040708
mnt-by: MAINT-CNCGROUP-JS
source: APNIC



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by on December 19, 2005, 12:24 am
If you were  Registered and logged in, you could reply and use other advanced thread options
says...
> Based upon the text it looks like a Windows "Messenger Service" Pop-Up. There
have been
> reports of it being send via UDP.
>
> To disable the Windows Messenger Service, you can open a Command Prompt and
type the
> following commands...
>


Thank you David but the point is - as I said - I dont have messenger
services installed much less running. In fact all its dll's were manually
removed when the OS was installed. It isnt even vaguaely safe to have
that stuff installed or running.

Node 221.x.x.x. have been flooding the net with these messages for some
weeks now linking various web addresses and as you identified they have
this week stared using UDP also. Clearly this is not legitimate.

221.x.x.x is the only domain on the entire net I am seeing these from and
since I'm on dialup with dynamic IP addressing they clearly are broadcast
not targeted. (No I dont ARP for them I've checked these are
entirely incoming non solicited)

Clearly they are designed to get people to go to these web sites - and
also they appear to have hidden information in the TCP headers.
Given the country of origin "claimed" by the address I think they should
be of concern.

Perhaps I've overestimated the knowledge in this newsgroup - sorry.


-Pontius-

Posted by David H. Lipman on December 19, 2005, 12:36 am
If you were  Registered and logged in, you could reply and use other advanced thread options


| Thank you David but the point is - as I said - I dont have messenger
| services installed much less running. In fact all its dll's were manually
| removed when the OS was installed. It isnt even vaguaely safe to have
| that stuff installed or running.
|
| Node 221.x.x.x. have been flooding the net with these messages for some
| weeks now linking various web addresses and as you identified they have
| this week stared using UDP also. Clearly this is not legitimate.
|
| 221.x.x.x is the only domain on the entire net I am seeing these from and
| since I'm on dialup with dynamic IP addressing they clearly are broadcast
| not targeted. (No I dont ARP for them I've checked these are
| entirely incoming non solicited)
|
| Clearly they are designed to get people to go to these web sites - and
| also they appear to have hidden information in the TCP headers.
| Given the country of origin "claimed" by the address I think they should
| be of concern.
|
| Perhaps I've overestimated the knowledge in this newsgroup - sorry.
|
| -Pontius-

Don't confuse the Mesenger program with the NT Messenger Service !

Like I said, use a Router and the PC will not even see this traffic.

You stated -- "...appear to have hidden information in the TCP headers"
It is a UDP broadcast. There is no connection. It was NOT TCP, "Protocol: UDP
(0x11)".

You also stated -- "Perhaps I've overestimated the knowledge in this newsgroup -
sorry.
I hate it when people bite the hand that's feeds them.

/* Perhaps, you are overestimating your own knowledge. */

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by on December 19, 2005, 6:56 am
If you were  Registered and logged in, you could reply and use other advanced thread options
says...
>
>
> | Thank you David but the point is - as I said - I dont have messenger
> | services installed much less running. In fact all its dll's were manually
> | removed when the OS was installed. It isnt even vaguaely safe to have
> | that stuff installed or running.
> |
> | Node 221.x.x.x. have been flooding the net with these messages for some
> | weeks now linking various web addresses and as you identified they have
> | this week stared using UDP also. Clearly this is not legitimate.
> |
> | 221.x.x.x is the only domain on the entire net I am seeing these from and
> | since I'm on dialup with dynamic IP addressing they clearly are broadcast
> | not targeted. (No I dont ARP for them I've checked these are
> | entirely incoming non solicited)
> |
> | Clearly they are designed to get people to go to these web sites - and
> | also they appear to have hidden information in the TCP headers.
> | Given the country of origin "claimed" by the address I think they should
> | be of concern.
> |
> | Perhaps I've overestimated the knowledge in this newsgroup - sorry.
> |
> | -Pontius-
>
> Don't confuse the Mesenger program with the NT Messenger Service !
>
> Like I said, use a Router and the PC will not even see this traffic.
>
> You stated -- "...appear to have hidden information in the TCP headers"
> It is a UDP broadcast. There is no connection. It was NOT TCP, "Protocol:
UDP (0x11)".
>
> You also stated -- "Perhaps I've overestimated the knowledge in this newsgroup
- sorry.
> I hate it when people bite the hand that's feeds them.
>
> /* Perhaps, you are overestimating your own knowledge. */
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

Like I said they have been transmitting TCP and now have started using
UDP which prompted my interest in making knowledge of this wider - I did
not post the TCP version as I'm unwilling to spread the headers.

Burying your head in the sand - or in this case a router does nothing to
make the network safer. Such an act indicates stupidity beyond belief.
Advising people to ignore these things is IMHO simply criminal.
I can only feel sorry for anyone following the links on your sig.

Your responses are either deliberate misdirection or simple ignorance.
As I also said - this group has clearly lost all competence.
I shan't trouble you again.

-Pontius-

Similar ThreadsPosted
Info Please. July 9, 2005, 7:55 pm
info June 4, 2006, 11:29 pm
info June 23, 2006, 6:01 am
NOD32, I look for info. August 29, 2005, 10:05 pm
Anyone have info on TR/Drop.Zael? February 3, 2006, 10:56 am
eTrust AV giving different info February 7, 2006, 6:48 pm
eScan / kaspersky antivirus info ? September 25, 2005, 3:44 pm
msconfig (autostart) and NOD32, I look for info November 22, 2005, 9:16 am
can't info on this virus win32/duiskbot.af December 15, 2006, 3:05 pm
Spyware Terminator, I look for info. URGENT! May 24, 2008, 4:16 am

The site map in XML format XML site map

Contact Us | Privacy Policy