I have a Win98 PC which is apparently infected by a Realaudio trojan.
This PC resides on an internal subnet with a routable IP address, however,
it is protected by incoming filters on a Cisco router.
Whenever I turn the PC on our router logs attempts to reach it from
various addresses on a real.com subnet (ARIN:PROGNET-REAL,
207.188.0.0-207.188.31.255). I simply turn the system on, with nothing
running and nothing in the start menu, and realnetworks will try to
contact it. This might be understandable if the system were running
realaudio or perhaps even Netscape or IE but it isn't running anything,
yet the packets all come from source port 80 apparently masquerading as
HTTP.
I suspect it is sending out some sort of packets to initiate this traffic
but have not yet tracked down the offending packets. A virus scanner also
found no known viruses.
Is anyone familiar with this? I suspect some realaudio database
attempting to gather data without my knowledge or consent but would
like to find out if this is a known hack before sniffing it out.
Thanks in advance,
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
