Folks,
I’m getting the following message every couple of minutes since the last 24 hours: ‘Win32:CVE-2009-3103 [Expl] attack from 115.240.ABC.XYZ:445’
The values in ABC and XYZ are different each time. I checked the IP addresses and they all belong to one company - Reliance communications, who also happens to be my wireless broadband provider. Is there something I should be doing or can I simply ignore the messages?
Chao,
mfbloke
Check your computer for Malware with
MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button “remove selected” to quarantine anything found, and restart
SAS http://filehippo.com/download_superantispyware/
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26
If anything is found other than cookies you may post the scan logs here
See http://www.grc.com/port_445.htm for info on port 445.
Whilst this IP might be assigned to your Broadband provider, IPs are dynamically assigned as you connect. So this is likely to be a customer whose system is infected and trying to infect other systems.
Presumably this is an alert by the Network Shield (see images) ?
and this is the bug that uses the 445 port
W32/Lioten.A (see spreading description)
http://www.norman.com/security_center/virus_description_archive/55823/en
W32/Lioten Malicious Code
http://www.cert.org/incident_notes/IN-2002-06.html
Secunia ( CVE-2009-3103 )
http://secunia.com/advisories/cve_reference/CVE-2009-3103/
Hi DavidR,
Thank you for the info. Yes, the messages are from the network shield.
Hi Pondus,
I’ve downloaded Malwarebytes and am running a scan now. Will let you know if it picks up something.
I had run a run a quick scan of the MS Windows Malicious software removal tool, but it did not pick up anything. A quick scan from PC tools - Spyware doctor also did not reveal anything 
Chao
mfbloke
The quick scan of Malwarebytes was clean. I’m gonna run a full scan now. Don’t know how long that is going to take…
I doubt you would have found anything as it was a random, speculative, external attack, so not originating on your system.
A full scan from Malwarebytes flagged a file in a folder that I have had on my system for more than two years now. Malwarebytes removed the offending file. The messages from Avast network shield have stopped since then.
But I do believe you are right, DavidR. The attacks were external. Malwarebytes cleaning my system and the attacks stopping must be just a co-incidence.
Thanks all.
Mfbloke.
What would have helped would have been posting the contents of the MBAM log so we could see what was detected.
Whilst it is possible that the network shield could detect outbound calls to a DNS server for a domain, this isn’t for a domain name but an IP address, so no need to have a DNS check. Also given the malware name tends to indicate an exploit from an external site rather than an internal connection to that site.
here you go… (ignore the time elapsed… I had to pause the scan for some time…)
Malwarebytes’ Anti-Malware 1.44
Database version: 3545
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865
13-01-2010 8:57:16 AM
mbam-log-2010-01-13 (08-57-16).txt
Scan type: Full Scan (C:|D:|)
Objects scanned: 363269
Time elapsed: 14 hour(s), 11 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\setups\VCD Cutter v4.04\VCDCut.exe (Malware.Packer) → Quarantined and deleted successfully.
Is this VCD Cutter v4.04 program something you have had for some time ?
If so I would suggest you restore the VCDCut.exe file from the MBAM Quarantine and have the file analysed and report the findings.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.
Also - Anubis: Analyzing Unknown Binaries, is another scanning tool that is useful, http://anubis.iseclab.org/?action=home. Same deal post the HTML results page URL.