winword outbound UDP

jreyes · Feb 11, 2008

Have been using info on forum for the last couple of weeks cleaning up from a case of vundo and downloader.gen-- think using all the information on the forum i think i'm finally clean. finally restored from an image from last august and updated info from there. norton subsequently cleaned up a couple of vestiges of downloader.

however, noticed that norton internet security 2008 has created a firewall rule for winword

rule description was to allow connection to 209.170.120.43 using udp 53
i don't recognize the ip address

since i'm new to the norton firewall, i'm not sure what this means. I changed rule to monitor the connection

i just fired up winword and it created a new rule to connect to
our company since i'm vpn'd to our company but the one above "209.170.120.43" is foreign to me and was generated when i wasn't logged into my vpn.

norton complete scans show nothing amiss that i can tell, unless something is getting by.

thoughts? is this normal. can winword.exe be used for malware?

Jesse

Corporal Punishment · Feb 11, 2008

The Norton firewall is a brand new installation? Or part of the resorted image? If it is old, than it could be a remnant from the other infection.

Also - are you sure it sauid prt 53 and not 152? I know word can send info to M$ on 152. Then again - That IP is in Sweden, so I'm guessing it is not Microsoft.

There is a Trojan is called mdropper which uses winword to get to explorer then uses port 53. Not quite the problem you have and Norton's should have picked it up if it is mdropper.

Here is some info and removal instructions on the topic: http://www.symantec.com/security_response/writeup.jsp?docid=2006-121311-5725-99&tabid=2

Poke around and see if those files are there – that could confirm or deny it.

I don’t know if you can do the same thing with winword – but perhaps since port 53 is the DNS port it could be used as a probe or even some sort of way to validate spam…. Just a guess.

Either way start here:
http://www.majorgeeks.com/Trojan_Remover_d903.html

You should get something like this:
http://www.majorgeeks.com/Netstat_Viewer_d2445.html
that will tell you what programs are using what ports.

Then grab this:
http://www.majorgeeks.com/Process_Explorer_d4566.html

It should help tell you what program might be calling winword for use.

jreyes · Feb 11, 2008

thanks so much for the quick reply.
I went through your comments. here is what i found

* this is a new install of norton, not a legacy, so should not be simply remnants of old installation

* definitely port 53 -- although the last few times i've booted up winword, it connected to my local isp -- verizon, or to my company via vpn. nothing else so far so maybe clear

* thanks for the info on mdropper --most helpful

symantec definitely hasn't flagged it and i've run a couple of system scans in the last few days.

I also went through your thread and couldn't find any instances of those files mentioned in the symantec article.

thanks again maybe i'm just paranoid.

anyone else have any ideas as to whether i'm clean and just paranoid

chaslang · Feb 13, 2008

Winword normally does not require network access so you could just block it in your firewall and forget about it.

However if you are worried about a possible infection, you can work thru the below.

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

Log in or Sign up

winword outbound UDP

jreyes Private E-2

Corporal Punishment Head of Software Shenanigans Staff Member

jreyes Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member