So we've had an internal network problem where our network would go down every 10 minutes or so from a DoS attack coming from within. It was really annoying. So Mike and Jason started looking into the issue yesterday about 11am and couldn't find it as of 6pm. They came in early again today, and limited the problem down to 4 possible Windows boxes. Whenever one of those boxes would get plugged into the network, poof, everything would die. The problem was, no virus scanner (with updated definitions, etc) could find the damn thing.
So I go and sit down and the first thing I do is a netstat -an. Let's see what's making waves shall we? What do I see? A process listening on 5000 sequential ports. Hmm.. could this be our problem? Yeah...
So I narrowed the issue down to msmsgs.exe. But wait, isn't that the old version of MSN Messanger? Why yes... that is. Someone wrote a 106 KB virus with that executable name (might be 108 KB if you're on an NTFS drive though) that lives in the System32 directory. Killing that process would cause all the network activity on the 5000+ ports to die off to the normal network activity (DHCP stuff mostly) and life to go back to normal. Removing the file from the infected systems caused no harm, and the file did not respawn. Note that you may have to rename the file on the file system and reboot before you can actually remove it from the task manager (this happened on one out of four systems here). Also, this virus starts itself up via the registry, so search for msmsgs.exe in the registry and remove it everywhere you run into it.
So here's a summary:
- If you have a file under the System32 named "msmsgs.exe" that is roughly 106 KB in size, you have this virus. To verify you have the problem, go to Start->Run and enter "cmd". At the command prompt, type in "netstat -an" and if you see a whole bunch (like > 25) of activity, then you're infected.
- Kill the process from the task manager. If you can't, then rename the file on the hard drive and reboot your machine.
- Remove the file from the System32 directory.
- Go into RegEdit (you can get there from Start->Run as well) and search for
"msmsgs.exe" and remove all references to it.
Hopefully other people who are getting bitten by this find my steps helpful. I know we already lost close to two full man-days from it!
Somehow.. from the depths of my perverse creative left half of my brain and the randomly present comedian self that shows up...
I can only picture you running around the office in Khaki shirt and shorts, with a hard hat... screaming..
"If I stick my thumb up its butthole, that ought to really piss it off!"
You scare me sometimes Jake. ;-)
ROFL!!!! Crikey that there is a beaut...hehe...thanks for the notes on the blog man...and yeah...you are right about what I was talking about..peace out homie.
How strange,
I seem to have more than 25 and I'm not infected. (I've done what you said and all is normal). ps. msmsgs is not even in the task manager. msnmsgr is ;)
It depends on what you have running when you boot the machine up. Netstat (with -an) will show you any socket in any state (open, connected, listening). So when you first boot the computer up (assuming you don't have a ton of things auto-starting up), you should only have a handfull of connections. Plus, since you don't have msmsgs.exe, you're safe. :-)