Written by Je Gyeong Jo - HAURI Virus Lab.

1. Purpose of Network Virus

Network virus was created for infecting many PC by malicious users(hackers). It tries to infect not only first-infected PC but also all PC in the same IP band-width, and by using infected PC, it attacks a certain server through DDoS or steals certain information.

2. Route of Infection

Generally users get infection by executing certain file or accessing to certain server; however, network virus could infect all ports for communication, and especially HTTP, Telnet, SSH, FTP, SMB services based servers could be infected easily.

[PIC 1] A virus that attacks all SMB services in same IP band-width.

Recently the network virus has been developed a lot, so it attacks PC accurately by using ARP(A protocol for checking PC exist in network), and it infects and spread via portable storage devices. This method became one of the most threatening attack and causes Low-speed Internet.


[PIC 2] ARP packets for checking PC exist

3. How to check Network Virus
 

If you have any suspicions about network virus, you can check it as yourself through various ways such as Fixtool, network monitoring program, and etc. Running all kinds of Fixtools is not easy, so using network monitoring program and Windows process monitoring tool are recommended first.

The most common network monitoring program is WireShark(former name: Ethereal), and by using this tool, all inbound packets to the PC can be checked. By the way, WireShark cannot distinguish each packet well in case of packet's massive inbound or unknown network, thus it is better to set filter for distinguishing packets easily.

Download : http://www.wireshark.org/download.html


[PIC3] Features of WireShark and its filters

The most common ports for attack are like below.
- SMB Service(Windows Share Service) : 445
- HTTP Service(WWW-Web Service) : 80
- FTP Service(File Transmit Service) : 20, 21
- TELNET Service(Remote Access Service) : 23
- SSH Service(Encrypted Telnet-FTP Service) : 22

There are other ports like Terminal Service(3389), SQL(MYSQL-3306, MSSQL-1433, ORACLE-8080), and you can check the network by setting various ports. If many packets come up to unused port, it could be a network virus attack, thus scanning by Anti-Virus program will be highly recommended. 

Also, you can use TCPVIEW for checking network. From the MS website, it could be downloaded, and you can check the current using port in Real-Time.
 
Download : http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx


[PIC4] General feature of TCPVIEW

TCPVIEW shows the using process and process used IP & Port information, so it is easy to analyze and it provides a service to save the current network status as a file through "File -> Save" menu. If user saves the clean PC's status, the network abnormal status could be compared much easier by using the menu. In case of server, the network status shows a lot, so it will be better to use WinMerge to compare the saved status files.

Download: http://winmerge.org/downloads/


[PIC5] Comparing network status by WinMerge

You can check network virus status by following above methods, but viruses have developed cleverly day by day, so they intend many different trials such as hiding themselves and blocking network status monitoring. Therefore, you must be aware of virus issues and do Anti-Virus program update to get the latest engine version all the time.