Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Microsoft "Messenger Service"

1 view
Skip to first unread message

yams

unread,
Sep 12, 2002, 5:57:32 PM9/12/02
to
I believe I only had OutLook Express running writing a message when all of a
sudden I got a "Messenger Service" popup message from an Internet Marketing
spam site.

This blew me away! I am usually very careful and don't install anything I
don't need. I don't use ICQ, MSN or none of that crap. This is on my home
ADSL account.

How did this occur?

I turned off the Messager service, but some how this was "activated" and
"executed" on my machine.

To see if this was done from the outside, from my office machine at work, I
attempted a

"NET SENT home_ip HELLO"

to see if my home machine is open. It failed. So this came from WITHIN my
home machine!

Can someone give me some insight as to whats going on?

Also as I am cleaning up the machine, I have the resultant ports listening:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1588 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:1584 *:*
UDP 67.34.202.215:500 *:*
UDP 127.0.0.1:1616 *:*

Are any of these suspicious?

thanks

anon

unread,
Sep 21, 2002, 4:59:38 PM9/21/02
to
The ports listed below are mostly recognisable as OK.
I assume use have windows xp or 2000 as your operating system. Some
of the ports i don't recognise: 1588, 1584, 500, and 1616.
As for what happened don't know, possibly ActiveX, possibly some
background program, if it only happened once then shouldn't be too
dangerous, if it keeps happening, then get AV & firewall software, and
scan your system.


"yams" <Ih...@spammers.com> wrote in message news:<3%7g9.94379$2L.46...@e3500-atl2.usenetserver.com>...

Johnny Qwest

unread,
Sep 22, 2002, 10:07:01 PM9/22/02
to
On Thu, 12 Sep 2002 17:57:32 -0400, "yams" <Ih...@spammers.com> wrote:

>I believe I only had OutLook Express running writing a message when all of a
>sudden I got a "Messenger Service" popup message from an Internet Marketing
>spam site.
>
>This blew me away! I am usually very careful and don't install anything I
>don't need. I don't use ICQ, MSN or none of that crap. This is on my home
>ADSL account.
>
>How did this occur?

More than likely they used the "net send" command and directed the
spam to your domain. I've seen it happen three times in the last two
weeks. Most recently on Friday the 20th.

It would be nice to know for sure how it was done though. If anybody
has any Ideas...

flex

unread,
Sep 23, 2002, 2:11:01 PM9/23/02
to
"Johnny Qwest" <nob...@nowhere.com> wrote in message
news:4jtsous9tmkgs3s22...@4ax.com...
DSL is basically an ethernet network. net send sends broadcasted "message"
to all logged on users. If you're online, you're logged on.

Flex


hector

unread,
Sep 25, 2002, 3:17:44 PM9/25/02
to
I was the original poster on this thread:

I have since thing do all sorts of things to isolate my machine. I have not
had it happen again since the original post I'm a developer and I'm very
careful with things. I don't play e-games. I don't download anything I am
aware about. The only thing not in my control is Microsoft's software, in
particular Outlook and OE. On that original day it happen to me, I did
the the following:

1) I was working from HOME on my Windows 2000/PRO machine. It is connected
via ADSL.

2) It look like a NET SEND command which if I remember my netbios
programming days, it is a NETBIOS functionality which means I must of had
one the Microsoft netbeui ports open. I don't. To confirm this, I
connected to my office machine via PCAnyWhere and issued a NET SEND to my
home machine IP. It could not find the machine. I don't believe you can
use NET SEND if the proper Microsoft ports 135-137 are not open. Maybe
others can confirm this.

3) So I figured that somehow, this was done via maybe a hole/backdoor with a
HTML message I was reading in outlook or something. However, this couldn't
be it because quite simply I wasn't reading such a message. I was writing a
message. So I figure it was maybe something already installed on my
machine.

4) Since this is my home machine, my girls did use to use Yahoo or MSN chat
stuff a few months back. They don't any more, but I checked some
installation logs and found some MSN CHAT install problem. I removed all
the ActiveX objects from IE. I removed/uninstalled all programs I was not
familar with. I turned off any NT service I was not using, including
Messager Service and some others that open some ports on my machine.

5) I then did some Google research using "NET SEND" and "VIRUS" as keywords
and I found there was a recent Windows Security Flaw report AKA "Shatter"
as it was named by the founder of the flaw. It explains how there is a
fundamental flaw in Windows that Microsoft has since acknowledged. It
specifically illustrates how "NET SEND" can be used from a DESKTOP
application.

I was very busy and I didn't follow all the details of this report, but I
assumed this was only explanation for it.

The url for this shatter report is:
http://security.tombom.co.uk/shatter.html

The microsoft response to this report:
http://www.microsoft.com/technet/security/topics/htshat.asp

See ya

Hector
----

"Johnny Qwest" <nob...@nowhere.com> wrote in message
news:4jtsous9tmkgs3s22...@4ax.com...

hector

unread,
Sep 25, 2002, 3:19:49 PM9/25/02
to
I've clean up my machine. No ActiveX applications. No Messager Service.
No unknown ports.

The only explain for this is that SHATTER "flaw." See my other messge in
this thread.

---


"anon" <eny1en...@hotmail.com> wrote in message
news:bf29860f.02092...@posting.google.com...

Richard Akerman

unread,
Oct 12, 2002, 3:37:31 PM10/12/02
to
"hector" <nos...@nospam.com> wrote in message news:<3Jnk9.13116$Ov6.2...@e3500-atl1.usenetserver.com>...

> I was the original poster on this thread:
>
> I have since thing do all sorts of things to isolate my machine. I have not
> had it happen again since the original post I'm a developer and I'm very
> careful with things. I don't play e-games. I don't download anything I am
> aware about. The only thing not in my control is Microsoft's software, in
> particular Outlook and OE. On that original day it happen to me, I did
> the the following:
>
> 1) I was working from HOME on my Windows 2000/PRO machine. It is connected
> via ADSL.
>
> 2) It look like a NET SEND command which if I remember my netbios
> programming days, it is a NETBIOS functionality which means I must of had
> one the Microsoft netbeui ports open. I don't. To confirm this, I
> connected to my office machine via PCAnyWhere and issued a NET SEND to my
> home machine IP. It could not find the machine. I don't believe you can
> use NET SEND if the proper Microsoft ports 135-137 are not open. Maybe
> others can confirm this.

Check out these links on the NET SEND messenger spam issue

http://www.dslreports.com/forum/remark,4675583~root=security,1~mode=flat;start=20#4687551

http://www.dslreports.com/forum/remark,4675858~root=security,1~mode=flat#4682964

http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html

The summary is it is using port 135, which is sneaky, because it's not
blocked by the usual NetBIOS filters.

-- Richard Akerman
http://www.akerman.ca/trojan-port-table.html#netsend

Jajones20

unread,
Oct 26, 2002, 3:31:59 PM10/26/02
to
I've had this problem, too. I finally (I hope) solved it by closing ports 135
and 445 and disabling Messenger Service. For info on how to do this, go on
Google and search for "disable port 135." There's lots of good info there.
-jackie
0 new messages