We determine in our local network an instability, this is due to spread of malware through in it.
The malware uses the method of attack based ARP to the local network Gateway (192.168.1.1).
Indeed machine "A" owner of the MAC address "MacA" send packages ARP broadcast on the network indicating that the bridge is the machine A (192.168.1.1(the right address of Gateway) is at "MacA"), so many machines in our network used a wrong ARP i(I mean MACA of infected machines by this malware)
After a long check on them to identify this malware. we found : these machines were infected by:
svchost.exe" (175 KO, 179200 Bytes) uses the DLL Packet.dll and wpcap.dll and wanpacket.dll ... \ drivers \ npf.sys.
- There realize a scan of all networks 192.168- and 172.16- and 10.0-
- It has a "80-port insert" in the svchost paquet
-at last we have another problem; when we open web page (as IE or Firefox) before we get the response and taking two or three seconds, the page displays a little gray bare (even we use windows or Linux system) and the view page source return this hxxp://220.127.116.11/iframe and this are included in the svchost.exe paquet but it was crypted.
- Can somebody help me and explain me haw can we resolve this and clean our local network from this malwre?
Thank's in advance
Edited by quietman7, 23 October 2007 - 02:30 PM.