I recently had a huge attack of virus's on every windows machine 15 in my facility. The symptoms were mass port scans our to the internet of which I could view with tcpdump in real time. After finally getting a handle on all machines I find my primary workstation sending bursts of info on non conventional ports to the other machines (which are locked down) on the internal network. Further investigation shows that these bursts are tied to the "System idle process" PID. I have never been aware of this process doing anything other than just giving visual feedback to the viewer that the CPU is not being used.
Is anyone aware of a virus that attaches to or replaces the "System Idle Process" file and if so... can you point me to further information regarding what it is, how it may have come in, and how to insure it's total removal?
I have run both virus scans using NOC32 and SuperAntiSpyware and neither have identified any exploit. I am using a program called Process and Port Analyzer which associates the transmitting port with the PID which is clearly showing the "System Idle Process" PID (0) as sending on these unconventional ports. The ports are incrementing in ascending order from the source side as the previous request sits in a wait state due to no response from the destination and keys in on ports 123, 137, 138, and 445 at the destination side.
If this is not a virus... can someone tell me if this is normal activity to go out and interrogate other machines while the CPU is idle?