Zombies, Compromised Win32 Systems

Lately, the zombie problem got worst on Galaxynet.Org. Perhaps some servers delinked due to the constant load stress from the zombies. Cant users install a decent antivirus and keep their system patches up-to-date?

Have unusual network activity? Time to check if there is any unusual background process (Zombie) connecting to irc. Typical IRC ports are 6661-6669 and 7000.

First open up your command prompt. Window + R. command.com / cmd
Try issuing the follow command to find if there is any established connection to any server on port 6667.

netstat -an | find “ESTABLISHED” | find “6667”

If you want to be safe. Just replace 6667 with the numbers running from 6661 to 6669, 7000. Example: netstat -an | find “ESTABLISHED” | find “6661”

There will be no reply if you have no connections to any irc server. If there is a connection. It will have reply like TCP 210.24.209.1:1060 62.112.0.19:6667 ESTABLISHED. Notice that in the reply, it states your computer IP followed by a : and a number. Remember the number. You will need it. Then it is time to pinpoint the program.

Download Fport from FoundStone. Extract the program to a location. Run command prompt. With the number you had, issue the next command fport | find “1060”. It should give you a reply. For example 1292 iGotHacked -> 1060 TCP C:\windows\iGotHacked.exe.

Then it is time to seek professional help in preventing the program from starting the next time you boot your PC.