Tweet
MSBlast virus, or something else?
A few minutes ago I noticed that my cable modems activity light was lit solid (normally it blinks off at least occasionally.) I checked my network activity and found about 3 kilobyte/sec worth of inbound packets on my system. Loaded up Ethereal (a free packet analyzer) and it confirmed my suspicions... 100% ARP requests.
-
-
if you've got msblast.exe running as a process in task manager then you've got the worm! -
Hehe, I mean "I wonder if this is a side effect of msblast and/or another virus on OTHER systems?" I'm running Win98 SE and my system's clean. Just was wondering if anyone had any idea why there'd be a sudden significant increase in ARP traffic.Comment
-
From what I've seen, MSBlast can affect other systems.
We had it at work, but only 2 machines had it, but ot was effecting every XP system on the network.
It was sending out remote commands that restarted every XP rig on our network. The virus looks for open ports on similar IPs, and try to take them over.
It's very possible someone on your same ISP with a similar IP could be affecting you.
As long as you have run the patch, and are blocking that (those) port(s), you should be OK...Core2 Duo E7500 2.93, Asus P5Q Pro Turbo, 4gig 1066 DDR2, 1gig Asus ENGTS250, SB X-Fi Gamer ,WD Caviar Black 1tb, Plextor PX-880SA, Dual Samsung 2494sComment
-
THere is some sort of hoax/faked email going around on Comcast that tries to appear it is from them. SOme people have had to click on it. Maybe this is related?Comment
-
Probably was just bad HW or something misconfigured, after a short cable outage it fixed itself.Comment
-
JPI: Yes, I believe it's a worm side effect. It doesn't check (how could it?) the OS it's sending those packets to. So you're unaffected, mostly, just your usable downstream bandwidth is a little smaller
AZComment
-
Sorry to bother anyone, but what is ARP Traffic?Comment
-
Address Resolution Protocol. Basicly, the virus ridden computer checks for systems with an open port for whatever vulnerability the specific worm needs by randomly generating IP's. The ISP's routers see the packet going to x IP, but since they're random, it's not very likely it'll have every possible IP combo cached. It then broadcasts an ARP request asking in essence "Who is x?" If your system happens to be x, it responds with an ARP reply that tells the router your MAC ID so that it has the hardware address of your system.
The ARP traffic hitting my system has dropped down to less than 1 kilobyte/sec today, either the virus is dying out or they've done something to their network to help reduce the problem.Comment
Comment