View Full Version : Have I been attacked? *Computer Help*
DEFYANT
02-19-2006, 09:27 PM
My virus security program just went off with this alert:
A computer with the IP address 204.15.76.242 sent information that is characteristic of the ICC Profile TagData Overflow attack.
Does anyone know about this?
EDIT:
I got this from the virus program site. It's all greek to me.
ICC Profile TagData Overflow
Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
Description
This signature detects a buffer overflow condition in icm32.dll, exploited by rendering a malicious image file.
Additional Information
A buffer overflow has been reported in the icm32.dll. If the image contains International Color Consortium (ICC) data, icm32.dll will be loaded to process it.
A buffer overrun vulnerability exists in the processing images that contains a large ICC tag data size for any of the following tag entry signatures:
1)rXYZ
2)bXYZ
3)gXYZ
The purpose of the International Color Consortium® (ICC) format is to provide a cross-platform device profile format. Such device profiles can be used to translate color data created on one device into another device's native color space. The acceptance of this format by operating system vendors allows end users to transparently move profiles and images with embedded profiles between different operating systems. For example, this allows a printer manufacturer to create a single profile for multiple operating systems.
Affected:
All Windows.
Response
Visit the Microsoft Security Bulletin Page for patches.
Possible False Positives
There are no known false positives associated with this signature.
Additional References
DEFYANT
02-19-2006, 09:35 PM
...and it seems that IP address is SVTperformance.com
AzMarauder
02-19-2006, 09:39 PM
...and it seems that IP address is SVTperformance.com
I tried that IP address in my browser and didn't get the SVT site...
Take some of that info you have in your previous post and search the Symantec site for it. Perhaps they will give you information about cleaning your computer.
MM03MOK
02-19-2006, 09:50 PM
<CODE>C:\>tracert 204.15.76.242</CODE>
<CODE>Tracing route to chickadees4thave.com [204.15.76.242]
over a maximum of 30 hops:</CODE>
<CODE>8 12 ms 11 ms 11 ms 12.118.88.9
9 20 ms 20 ms 20 ms tbr1-p012801.cb1ma.ip.att.net [12.123.40.210]
10 19 ms 19 ms 18 ms tbr2-cl16.n54ny.ip.att.net [12.122.10.22]
11 18 ms 18 ms 16 ms ggr2-p390.n54ny.ip.att.net [12.123.3.62]
12 24 ms 17 ms 17 ms dcr1-so-3-0-0.newyork.savvis.net [192.205.32.198]
13 35 ms 32 ms 24 ms bcs1-so-6-2-0.Washington.savvis.net [204.70.192.13]
14 41 ms 39 ms 36 ms dcr1-so-3-0-0.Atlanta.savvis.net [204.70.192.53]
</CODE><CODE>15 58 ms 56 ms 58 ms bcs1-so-1-3-0.Dallas.savvis.net [204.70.192.78]</CODE>
<CODE></CODE><CODE>16 87 ms 88 ms 87 ms dcr2-so-2-0-0.LosAngeles.savvis.net [204.70.192.86]</CODE>
<CODE>17 89 ms 111 ms 87 ms aer1-vlan-100.losangeles.savvis.net [208.172.47.12]
18 95 ms 88 ms 89 ms gige-savvis.multacom.com [208.174.194.54]
19 93 ms 90 ms 97 ms chickadees4thave.com [204.15.76.242]</CODE>
<CODE>Trace complete.</CODE>
MM03MOK
02-19-2006, 09:53 PM
query from dns.consumer.net to get an authoritative nameserver
DNS query for 204.15.76.242 failed: Queried domain does not exist
whois whois.arin.net 204.15.76.242:
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'substringcount'/default.asp, line 147
Here's a cool website to check stuff like this.
http://network-tools.com/
</PRE>
TripleTransAm
02-19-2006, 10:25 PM
A computer with the IP address 204.15.76.242 sent information that is characteristic of the ICC Profile TagData Overflow attack.
It's Chuck Norris, and he's taken a computer class! It's his new high tech e-roundhouse kick.
Sorry, I had to.
DEFYANT
02-19-2006, 10:38 PM
It's Chuck Norris, and he's taken a computer class! It's his new high tech e-roundhouse kick.
Sorry, I had to.
Yo, Chuck Norris:
http://24.163.136.99/web/Folder001/G-LOCK-HI-SPEED.gif
http://24.163.136.99/web/Folder001/G-LOCK-HI-SPEED.gif
Sorry, I had to.
TripleTransAm
02-19-2006, 10:44 PM
Wow, that's a cool GIF!
Seriously: so icm32.dll overflows... does anyone know how this can pose a security risk for a computer? Is it the overflow itself that kills other security mechanisms or is there something some other activity that happens along with the overflow?
Edit: some online sites reference a solution to this overflow with the following:
"Apply the patch referenced in the Microsoft Bulletin MS05-036"
DEFYANT
02-19-2006, 10:48 PM
...and to my knowledge, I was not downloading anything intentionaly. This just popped up...
DefyantExWife
02-20-2006, 06:38 AM
I will forward you information from my Computer Geek regarding keeping your computer healthy and diagnostic and remedial tools.
Wow... did I just say all that ? Sounded so smart. :rolleyes:
DefyantExWife
02-20-2006, 06:43 AM
I'm posting this publically for others benefit. These programs have worked for me, been running smoothly the last year with them.
use adaware, spybot, then a-squared. the first two are easy to find...
adaware is here: http://www.lavasoft.de/
spybot is here: http://www.safer-networking.org/en/index.html
a-squared free is here: http://www.emsisoft.com/en/software/free/
also get and install AVG antivirus if you dont have it already: http://free.grisoft.com (http://free.grisoft.com/)
ckadiddle
02-20-2006, 08:49 AM
Defyant,
If you have a high speed internet connection such as DSL or Cable modem and do not have a hardware firewall in place yet, you should. I have a couple wired router/firewalls in a drawer somewhere that I don't need since upgrading to wireless. Send me a PM if you want one and I'll ship it to ya no charge.
fastblackmerc
02-20-2006, 09:07 AM
Use either a hardwired firewall or a software firewall. I use ZoneAlarm.
DEFYANT
02-20-2006, 09:36 AM
I have a good system in place that has kept us running safely for several years. This alert I got was my internet condom doing its job, so to speak. :D
Its information interpretation where I get lost sometimes. :lol:
magindat
02-20-2006, 10:09 AM
Make sure you are running on XP service pac 2. Go to start > run. Type winmsd. Get the version. SP2 has a built in firewall. Make sure auto updates are turned on. Go to windows update. Choose express update. Get up to date. This vulnerability was recently addressed by Microsoft. It's a 'spoof' using .jpg files to exploit an open hole in windows. Easy to prevent.
Good Luck
jawz101
02-20-2006, 10:25 AM
I'm a big fan of Windows XPsp2 since it at least has inbound firewall protectiong and Microsoft's newer Microsoft's update site rather than the normal Windows Update sight since it updates all Microsoft products you have http://update.microsoft.com/microsoftupdate
It sounds like whatever Internet security/Antivirus software you have is at least doing it's job in detecting the problem. I'd at least try downloading there latest AV signature updates. AVG is a good free antivirus as someone mentioned earlier but I'd keep whatever you've got right now. I really don't think a spyware app is going to find this because it seems more like a browser security issue but it would be good to try it. I'd also suggest Microsoft's newer Windows Defender (http://www.microsoft.com/downloads/details.aspx?FamilyID=435bfce7-da2b-4a6a-afa4-f7f14e605a0d&DisplayLang=en) app if you do have Windows XP.
Other free app you can try is PeerGuardian (http://sourceforge.net/projects/peerguardian)or B.I.S.S. Protowall (http://www.bluetack.co.uk/modules.php?name=Downloads&d_op=viewdownload&cid=5) (protowall used in conjunction w/ their Blocklist Manager is a good combo). One thing firewall apps typically don't include (at least not switched on) is IP blocking rules and these apps catalog aggressive sources for attacks (as well as govt/mil/malware hosts). They are mainly popular for people that use filesharing apps but can also block random http:// requests or anyone trying to talk to your computer. They don't use much of your computer resources but really show you the good and bad traffic trying to hit your computer. Those or a free hardware/software firewall are always good choices.
-I'd always take a free hardware firewall if a member is offering it to you:)
I wouldn't be concerened about the overflow msgs and all but then you said it's trying to talk back IP address - that's kinda the most important part. I'd think it's more a Trojan virus that maybe trying to use your computer to host for a Denial of Svc attack with a bunch of other computers or something.
jawz101
02-20-2006, 10:32 AM
ew- I just looked up that IP on http://dshield.org - the results (http://www.dshield.org/warning_explanation.php?fip=20 4.15.76.242&Submit=Submit).
Nice little site by the way. A community driven site where firewall admins send their logs to find mailicious IP addresses.
I'd definitely suggest PeerGuardian or Protowall since they block inbound/outbound connections at least while your trying to clear up this problem.
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.