myNetWatchman Incident 66569752

Confirmation: Clear tcp/139 and tcp/445 scanning activity

TCP table:

PID        0   68.8.92.220:1058   68.252.33.63:139    TIME_WAIT
PID        0   68.8.92.220:1060   68.252.33.65:139    TIME_WAIT
PID        0   68.8.92.220:1138   68.212.97.222:139    TIME_WAIT
PID        0   68.8.92.220:1139   68.212.97.223:139    TIME_WAIT
PID        0   68.8.92.220:1142   68.212.97.226:139    TIME_WAIT
PID        0   68.8.92.220:1143   68.212.97.227:139    TIME_WAIT
PID        0   68.8.92.220:1147   68.212.97.231:139    TIME_WAIT
PID        0   68.8.92.220:1149   68.212.97.233:139    TIME_WAIT
PID      760   68.8.92.220:1157   68.212.97.241:139   ESTABLISHED   C:\WINDOWS\Explorer.EXE
PID        0   68.8.92.220:1182   68.121.22.164:139    TIME_WAIT
PID        0   68.8.92.220:1183   68.121.22.165:139    TIME_WAIT
PID      760   68.8.92.220:1189   68.121.22.171:139   ESTABLISHED   C:\WINDOWS\Explorer.EXE
PID        0   68.8.92.220:1208   68.252.33.69:139    TIME_WAIT
PID        0   68.8.92.220:1210   68.252.33.71:139    TIME_WAIT
PID      760   68.8.92.220:1214   68.252.33.75:139   ESTABLISHED   C:\WINDOWS\Explorer.EXE
PID      760   68.8.92.220:1216   68.252.33.77:139   ESTABLISHED   C:\WINDOWS\Explorer.EXE
PID        4   68.8.92.220:1241   68.121.22.169:445     SYN_SENT   System
PID        4   68.8.92.220:1242       LISTENING   System
PID        4   68.8.92.220:1242   68.121.22.169:139     SYN_SENT   System
PID        4   68.8.92.220:1244   68.212.97.233:445     SYN_SENT   System
PID        4   68.8.92.220:1245       LISTENING   System
PID        4   68.8.92.220:1245   68.212.97.233:139     SYN_SENT   System
PID        4   68.8.92.220:1247   68.252.33.73:445     SYN_SENT   System
PID        4   68.8.92.220:1248       LISTENING   System
PID        4   68.8.92.220:1248   68.252.33.73:139     SYN_SENT   System

Identification of hostile app: C:\WINDOWS\Explorer.EXE

Command and control activity:

TCP table:
PID     2568      0.0.0.0:113       LISTENING   C:\WINDOWS\SYSTEM32\wdll32.exe
PID      760   68.8.92.220:2475   65.77.219.69:6667   ESTABLISHED   C:\WINDOWS\Explorer.EXE

Identification of hostile Modules when Explorer.EXE piggybacking utilized

Modules loaded into PID 760: "EXPLORER.EXE" / CmdLine: 'C:\WINDOWS\Explorer.EXE'
[snip]
	BaseAddr 0x10000000, LastMod 12/17/2003 5:07 AM  : "C:\WINDOWS\System32\rwtrisfg32.dll"

Identify auto-start method

Entries for HKLM\Software\Microsoft\Windows\CurrentVersion\Run:
	'SVCDriver' = 'WDLL32.EXE'