M
Morgan Ohlson
I raised the security level some week ago. Therefor I dn't really know whats
normal and what isn't.
When Firefox reach a new site it is sometimes recorded (warning) that a DLL
is changed. It can look like the copy below. Is that a normal DLL change or
something fixed by malware? (se below)
Morgan O.
----------------------------------------------------------
The new DLLs have been loaded:
C:\PROGRAM\JAVA\JRE1.5.0_04\BIN\NET.DLL
To disable DLL Authentication go to the security tab under the Tools,
Options menu.
File Version : 1.0.6.0
File Description : Firefox
File Path : D:\Program\Firefox\firefox.exe
Process ID : 0xFFF33335 (Heximal) 4294128437 (Decimal)
Connection origin : local initiated
Protocol : TCP
Local Address : 83.248.52.34
Local Port : 3506
Remote Name : www.comhem.se
Remote Address : 194.237.212.165
Remote Port : 80 (HTTP - World Wide Web)
Ethernet packet details:
Ethernet II (Packet Length: 56)
Destination: 00-0f-90-27-75-ce
Source: 00-50-fc-69-9d-ee
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x28e3 (Correct)
Source: 83.248.52.34
Destination: 194.237.212.165
Transmission Control Protocol (TCP)
Source port: 3506
Destination port: 80
Sequence number: 244993017
Acknowledgment number: 3830526872
Header length: 20
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...1 = Fin: Set
Checksum: 0x3eef (Correct)
Data (0 Bytes)
Binary dump of the packet:
0000: 00 0F 90 27 75 CE 00 50 : FC 69 9D EE 08 00 45 00 | ...'u..P.i....E.
0010: 00 28 F7 F9 40 00 80 06 : E3 28 53 F8 34 22 C2 ED | .(..@....(S.4"..
0020: D4 A5 0D B2 00 50 0E 9A : 4B F9 E4 51 33 98 50 11 | .....P..K..Q3.P.
0030: 20 68 EF 3E 00 00 69 76 : | h.>..iv
---------------------------------------------- end
normal and what isn't.
When Firefox reach a new site it is sometimes recorded (warning) that a DLL
is changed. It can look like the copy below. Is that a normal DLL change or
something fixed by malware? (se below)
Morgan O.
----------------------------------------------------------
The new DLLs have been loaded:
C:\PROGRAM\JAVA\JRE1.5.0_04\BIN\NET.DLL
To disable DLL Authentication go to the security tab under the Tools,
Options menu.
File Version : 1.0.6.0
File Description : Firefox
File Path : D:\Program\Firefox\firefox.exe
Process ID : 0xFFF33335 (Heximal) 4294128437 (Decimal)
Connection origin : local initiated
Protocol : TCP
Local Address : 83.248.52.34
Local Port : 3506
Remote Name : www.comhem.se
Remote Address : 194.237.212.165
Remote Port : 80 (HTTP - World Wide Web)
Ethernet packet details:
Ethernet II (Packet Length: 56)
Destination: 00-0f-90-27-75-ce
Source: 00-50-fc-69-9d-ee
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x28e3 (Correct)
Source: 83.248.52.34
Destination: 194.237.212.165
Transmission Control Protocol (TCP)
Source port: 3506
Destination port: 80
Sequence number: 244993017
Acknowledgment number: 3830526872
Header length: 20
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...1 = Fin: Set
Checksum: 0x3eef (Correct)
Data (0 Bytes)
Binary dump of the packet:
0000: 00 0F 90 27 75 CE 00 50 : FC 69 9D EE 08 00 45 00 | ...'u..P.i....E.
0010: 00 28 F7 F9 40 00 80 06 : E3 28 53 F8 34 22 C2 ED | .(..@....(S.4"..
0020: D4 A5 0D B2 00 50 0E 9A : 4B F9 E4 51 33 98 50 11 | .....P..K..Q3.P.
0030: 20 68 EF 3E 00 00 69 76 : | h.>..iv
---------------------------------------------- end