Windows 2000 Server Connecting to net every 10mins

Wizzywigsheep
Wizzywigsheep used Ask the Experts™
on
I am running windows 2000 server as a domain controller,
after the first phone bill, there was obviously a problem.
Virus scanned everypc connected to the network nothing showed up. Then I got a program to view what was making the connection. "Service.exe" keeps connecting to my ISP mail server, would there be any reason for this????
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Hello,

www.cert.org/incident_notes/IN-2000-01.html

service.exe is part of a DDOS tool.

from www.sans.org/newlook/resources/IDFAQ/trinoo.htm

Wintrinoo

The addition of Windows machines to the pool of potential zombies increases the overall threat and destructive capability of DDos attacks. Wintrinoo is a Windows version of trinoo that was first reported to CERT on February 16th 2000 (CERT IN-2000-01). (Note that TFN2K, derived from TFN, also runs on NT and appeared in December 1999). In the wintrinoo case, zombies are formed by machines that run the program service.exe. Typically, this program comes to be executed in a number of ways:

users run the program when it arrives as an e-mail attachment
it is executed by document macros
it is installed and run via Back Orifice.
When executed, service.exe installs a copy of itself to \windows\system and adds a registry entry making it restart when the system restarts. The pertinent key is:

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/

CurrentVersion/Run

When running, service.exe will appear in the Windows task-list and it can be ended. However, service.exe will restart unless the registry entry is deleted. It must be noted that service.exe is distinct from the normal services.exe.

Service.exe is approximately 23kB in size and will run on Windows NT4, 95 and 98. It differs from the trinoo daemon in that it listens for masters on UDP port 34555 and passes information to the masters on UDP port 35555. As with trinoo, this can be observed using the command: netstat -an. Service.exe has been found on systems concurrently infected with Back Orifice suggesting that this trojan horse may have been the method of entry. (Gary Flynn, 2000).

You should try using adaware and let it detect and remove all the spyware. It might be that you will have to remove the service.exe by hand.

Mishou

Wizzywigsheep:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial