Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton Blocking "ms Asn1 Integer Overflow" Intrusion


  • Please log in to reply
16 replies to this topic

#1 confusedchris

confusedchris

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 18 March 2006 - 06:02 AM

Hi,

I am using Windows XP Home edition, with Service Pack 3.

I am running Norton Antivirus 2005. I regularly receive the following message from Norton:
_______

Details: Attempted Intrusion "MS ASN1 Integer Overflow TCP" against your machine was detected and blocked.
Intruder: 84.183.235.235(3660).
Risk Level: High.
Protocol: TCP.
Attacked IP: CHRISGRAY(84.115.134.94).
Attacked Port: netbios-ssn(139).
_______

I have looked on the Microsoft security updates page, but the available patches for this 'Integer Overflow' problem are not relevant to me, since I already have Service Pack 3 installed.

What does this Norton message mean? Should I be worried? How can I fix this?

Thanks very much for your help.

regards
Chris

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:23 AM

Posted 18 March 2006 - 06:03 AM

Hi Chris

Your best bet is to take a read here first:
http://www.symantec.com/avcenter/attack_sigs/s20421.html

David

#3 confusedchris

confusedchris
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 18 March 2006 - 06:10 AM

Thanks David...but I have already looked at this. The linked Microsoft Security bulletin seems to suggest that only Service Pack 1 should be affected (they provide a patch for this - doesn't help me though!)

any other input gratefully received...!

Thnx

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:23 AM

Posted 18 March 2006 - 10:27 AM

I am using Windows XP Home edition, with Service Pack 3.

Are you sure about this? There is no XP service pack 3. There is an office SP3, and a windows 2000 SP3.
Can you confirm what the actual service pack for windows is.

David :thumbsup:

#5 confusedchris

confusedchris
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 18 March 2006 - 10:30 AM

yeah - sorry! I have Windows XP with service pack 2 (not 3!)

regards
Chris

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:23 AM

Posted 18 March 2006 - 10:33 AM

Does this ring any bells at all:

DTAG Global IP-Addressing
Deutsche Telekom AG
D-90492 Nuernberg
Germany
+49 180 5334332
+49 180 5334252
ripe.dtip@telekom.de


Do you live anywhere near there, or use DTAG Global IP-Addressing?

David

#7 confusedchris

confusedchris
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 18 March 2006 - 10:36 AM

I live in Austria, which borders Germany, so yeah not so far away.

I don't know what "DTAG Global IP-Addressing" is. Where did you get this info?!

Chris

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:23 AM

Posted 18 March 2006 - 10:39 AM

Well the IP that is trying to infiltrate your computer is rooted to that address. You can use a program called SmartWhoIs to determine the roots of IP addresses.
Give me a bit and i'll research and see what i can find. One addition question - is your Norton update to date? If not then please update it now.

David

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:23 AM

Posted 18 March 2006 - 10:55 AM

Basically, this message is generated because a remote computer is trying to get into your computer (which is bad as you can understand).
Norton is doing its job and has blocked that attack.
After updating Norton let me know what happens.
David

#10 confusedchris

confusedchris
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 18 March 2006 - 11:08 AM

Hi David,

Ok, I've updated Norton (and there were a few new things to install). However, Norton has stoppped informing me regularly about this attack since at some point I clicked on 'don't notify me about this problem again'. Perhaps this was foolish of me? I was getting really distracted from work by the constant messages popping up!

Is it likely that the attempt by the remote computer is a deliberate act by someone at the source IP addres? Should I / can I take any further action to prevent this?

Thanks very much for your support

Chris

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:23 AM

Posted 18 March 2006 - 11:34 AM

I think that Norton is just doing it's job and blocking the intrusion. It happened to me a while back, i just used my firewall to block (Kerio) and asked the firewall to stop notifying me. After about a week i turned the notifications back on and nothing come up. I'm by no way an expert at this sort of thing, but i imagine this instrusion was not directly solely at you. As long as Norton is updated and enabled you should be safe.

One thing that may be happening is that you may have some sort of file on your computer that is calling this IP to access your computer. It's a long shot but by no means impossible. What i suggest is that I ask for a Hijackthis log from you. I can then get you transferred to a secuity expert who can generally see if you are clean and perhaps offer further insight to the problem. What do you think?

David

#12 confusedchris

confusedchris
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 18 March 2006 - 11:41 AM

Sounds good! I think first it would be a good idea for me to run Ad-Aware to make sure I'm as clean as possible, then I'll run Hijackthis and post the log on this thread. Could you tell me a couple of things:

1. How do I reactivate the notification from Norton?
2. How do I run Hijackthis? (I did it a couple of years ago, but can't remember the drill!)

Thanks
Chris

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:23 AM

Posted 18 March 2006 - 11:46 AM

I need to look up how to reactivate that message. In the meantime I recommend you follow the HijackThis preparation guide which can be found here. It is important that you follow the guide closely. A number of scans will be run which may well fix your problem. You may find you have some of the programs already - like ad-aware as you said.

As the guide says, after you have completed the scans that are recommended, please post your "HijackThis" log in a new topic in the forum found here. Please add your system infomation and also what problems you are having. Please be patient, and a HJT team member will help you to clean up your system

David

p.s. also give a link back to this topic.

#14 confusedchris

confusedchris
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 19 March 2006 - 04:25 AM

Hi,

I've run through this suggested procedure and posted my hijackthis log here:

http://www.bleepingcomputer.com/forums/t/47125/possible-worm-agobotao-infection/


No reply yet...but I know you guys are busy! Hope someone can help.

Thanks for all the support David.

Regards,
Chris

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:23 AM

Posted 19 March 2006 - 04:40 AM

Excellent Chris --> you've got lots of detail there.
At the moment the HJT forum is getting snowed under - don't bump the topic as it will put you to the back of the queue. At the moment there are logs dating back to the 13th which haven't been answered.
Never-the-less you will definatley get an answer, but it may not be for a few days now.
Good Luck, and if you have any extra questions, ask here.
David :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users