Yes, Audit Viewer did show several instances of svchost running. Each one different and all of them legitimate processes. Audit Viewer parses the memory associated with each of these processes separately. Although I cannot confirm there is not bleed over I don’t imagine there could be. The beauty of parsing memory is you see what is actually occurring with the process. In this case, all of this information is associated with the malicious process. Which is why I am raising these questions.

As to sending a sample of the malware to VirusTotal, doing so might not have actually helped in this instance. Conficker.C was only out for a short time, actually when we started it working our project the new variant was just documented by SRI as Conficker.B++, and there is no telling when the signatures to tell the difference would be available to VirusTotal as nobody was indicating a new variant in their virus databases. Submitting the sample might have identified it, but we decided to rely on the presence (or lack thereof) of specific artifacts associated with the newer version of the malware. Knowing how to look for specific artifacts associated with malware is critical for an incident responder. VirusTotal, although useful, should not be the only means utilized to identify and distinguish malware or their variants.

Don

Regards,
Dimiter

No, we weren’t actually looking for anything other than verifying consistent system artifacts to distinguish between Conficker.B and Conficker.C. My analysis stopped once I made that determination and I moved onto other tasks. So, I was not able to follow up on this port to verify or see what it did upon connection.

What tools would you recommend to perform the rpc enumeration on this port?

Don

Yes, you could be correct, but I am not certain. What really concerns me, and perhaps I did not express it in the post, is that the netstat command should have shown 1484 LISTENING on that port. This means that some part of the operating system is hiding that port from commands and tools. Although I am not going to say that it is rootkit type behavior, it is starting to look a little more like it.

Don