Hoje, no meu trabalho, um usu\u00e1rio relatou que o acesso a sites pela sua m\u00e1quina estava muito lento. Verificando a m\u00e1quina (um notebook), constatei a lentid\u00e3o. Loguei na m\u00e1quina roteadora local e, com o tcpdump apontado para o IP do referido usu\u00e1rio, liguei o note. Resultado:<\/p>\n
17:00:29.928829 IP 172.20.6.101.2658 > 209.191.93.52.80: S 1594643053:1594643053(0) win 65535 <mss 1460,nop,nop,sackOK>
\n17:00:29.928993 IP 209.191.93.52.80 > 172.20.6.101.2658: S 316183073:316183073(0) ack 1594643054 win 5840 <mss 1460,nop,nop,sackOK>
\n17:00:29.929223 IP 172.20.6.101.2658 > 209.191.93.52.80: . ack 316183074 win 65535
\n17:00:29.940210 IP 172.20.6.101.2658 > 209.191.93.52.80: F 1594643054:1594643054(0) ack 316183074 win 65535
\n17:00:29.940480 IP 209.191.93.52.80 > 172.20.6.101.2658: F 316183074:316183074(0) ack 1594643055 win 5840
\n17:00:29.940711 IP 172.20.6.101.2658 > 209.191.93.52.80: . ack 316183075 win 65535
\n17:00:30.039752 IP 172.20.6.101.2660 > 209.191.93.52.80: S 3101095795:3101095795(0) win 65535 <mss 1460,nop,nop,sackOK>
\n17:00:30.039913 IP 209.191.93.52.80 > 172.20.6.101.2660: S 311045640:311045640(0) ack 3101095796 win 5840 <mss 1460,nop,nop,sackOK>
\n17:00:30.040127 IP 172.20.6.101.2660 > 209.191.93.52.80: . ack 311045641 win 65535
\n17:00:30.049620 IP 172.20.6.101.2660 > 209.191.93.52.80: F 3101095796:3101095796(0) ack 311045641 win 65535
\n17:00:30.049779 IP 209.191.93.52.80 > 172.20.6.101.2660: F 311045641:311045641(0) ack 3101095797 win 5840
\n17:00:30.049995 IP 172.20.6.101.2660 > 209.191.93.52.80: . ack 311045642 win 65535
\n17:00:30.144803 IP 172.20.6.101.2662 > 209.191.93.52.80: S 2211717516:2211717516(0) win 65535 <mss 1460,nop,nop,sackOK>
\n17:00:30.144964 IP 209.191.93.52.80 > 172.20.6.101.2662: S 313679525:313679525(0) ack 2211717517 win 5840 <mss 1460,nop,nop,sackOK>
\n17:00:30.145178 IP 172.20.6.101.2662 > 209.191.93.52.80: . ack 313679526 win 65535
\n17:00:30.155046 IP 172.20.6.101.2662 > 209.191.93.52.80: F 2211717517:2211717517(0) ack 313679526 win 65535
\n17:00:30.155207 IP 209.191.93.52.80 > 172.20.6.101.2662: . ack 2211717518 win 5840
\n17:00:30.171331 IP 209.191.93.52.80 > 172.20.6.101.2662: F 313679526:313679526(0) ack 2211717518 win 5840
\n17:00:30.171534 IP 172.20.6.101.2662 > 209.191.93.52.80: . ack 313679527 win 65535<\/p>\n
Eram cerca de 7.000 pacotes por minuto. E 209.191.93.52 faz parte do range do Yahoo!.<\/p>\n
Resolvi instalar o ZoneAlarm no notebook e o mesmo mostrou dois arquivos estranhos tentando acessar a Internet: avgexem.exe<\/strong><\/span> e avgexen.exe<\/span><\/strong>. Estes arquivos estavam localizados diretamente em C:\\Program File<\/strong><\/span>. File sem “s” no fim. Quando bloqueados, o note operou normalmente. Depois de um reboot, ao permitir o acesso dos dois execut\u00e1veis \u00e0 Internet, tudo come\u00e7ou novamente.<\/p>\n Depois de detectar o worm e remov\u00ea-lo (usei um Debian em um pendrive para apagar os arquivos), procurei algo no Google mas encontrei muito pouca coisa. A refer\u00eancia mais importante foi:<\/p>\n http:\/\/www.superantispyware.com\/malwarefiles\/AVGEXEM.EXE.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Hoje, no meu trabalho, um usu\u00e1rio relatou que o acesso a sites pela sua m\u00e1quina estava muito lento. Verificando a m\u00e1quina (um notebook), constatei a lentid\u00e3o. Loguei na m\u00e1quina roteadora local e, com o tcpdump apontado para o IP do referido usu\u00e1rio, liguei o note. Resultado: 17:00:29.928829 IP 172.20.6.101.2658 > 209.191.93.52.80: S 1594643053:1594643053(0) win 65535… Continue a ler »V\u00edrus chamando Yahoo!<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[34,4,5,11],"tags":[],"class_list":["post-232","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-rede","category-seguranca","category-sistema-operacional"],"_links":{"self":[{"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/posts\/232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/comments?post=232"}],"version-history":[{"count":0,"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/posts\/232\/revisions"}],"wp:attachment":[{"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/media?parent=232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/categories?post=232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eriberto.pro.br\/blog\/wp-json\/wp\/v2\/tags?post=232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}