Geeks With Blogs
Henk Devos Henk's Random Thoughts

Subject:SPAM - First Warning

Imagine my surprise when i received this email from my ISP. They claimed they had received complaints about spam that was being sent through my account.
Maybe i had a virus or open relay?

Of course at first i thought it was just a case of spoofed email address or spoofed IP number, and my ISP being to dumb to see that. When i asked them, they said sent me a copy of the malicious email.

They seemed to be right: My IP address seemed to have been used as a relay. But i run virus scans all the time and i'm not running an SMTP server. Or am i?

So the next step was running a port scan on my own machine to proove that i didn't have any open ports.
Boy, was i in for a surprise!
Not only my SMTP, but also my POP3, NNTP, NetBT, and a whole bunch of others were open.

the only explanation was that i had a very good trojan running. It didn't show up in the task manager. I couldn't telnet to the open ports: Connection was closed immediately. Programs like fport didn't see my ports as open.
Impressive work, who ever wrote this trojan.

So i tried to hunt down this bad trojan. Not much luck though... I scanned with HiJack This, normally very good for this kind of situations (detecting trojans that are not detected yet). But i didn't see anything suspicious. And what ever i removed my ports were still open.

Until i disabled my Internet Connection Sharing.

I had set it up correctly. I indicated that i did NOT want an SMTP server, a POP3 server, and the like. I furthermore indicated that my connection was only to be shared with my local interfaces.

Is this a bug in Internet Connection Sharing?
Is it the default behavior?
(Note: This is on Windows 2000.)

Do you Microsoft guys understand that you almost caused my ISP account to be closed down?

Posted on Saturday, February 28, 2004 6:39 PM | Back to top


Comments on this post: A trojan called Windows

# re: A trojan called Windows
Requesting Gravatar...
LOL that has to be the best worst windows experience story I've heard in a while. But what I have surmised is that a trojan was dropped on your computer by a spammer (possibly thru file sharing p2p program) and was used to change your preferences (open relay gayness). From here they melted the server wrote down your IP and used you for thier mailing fun. (either that or someone used your computer/played with your settings/ and someone was scanning for open relays and for your computer. In either case you need to go to www.sysinternals.com and download these programs:

Autoruns - Quality Startup controller
TCP View - Shows all programs and their out bound connections/ports/type
and ProcView - View ALL process and kill any process you want. Catches those programs that hide from windows taskman.


hope I helped, peace.


mail at: "Quafboy"(59)Idontlikespam!)"@hotmail.com"

sorry but I hate spam so I formatted it crazy as to rid myself of email harvesters.
Left by Nick on Dec 01, 2004 11:40 PM

# re: A trojan called Windows
Requesting Gravatar...
I checked my settings, they were not changed, and I had no trojans at the time...
Left by Henk Devos on Dec 01, 2004 11:48 PM

Your comment:
 (will show your gravatar)


Copyright © Henk Devos | Powered by: GeeksWithBlogs.net