DLL changes - normal or malware driven?

---

• From: Morgan Ohlson <morgan.ohlson@xxxxxxxxx>
• Date: Sun, 18 Sep 2005 09:26:04 GMT

---

I raised the security level some week ago. Therefor I dn't really know whats
normal and what isn't.

When Firefox reach a new site it is sometimes recorded (warning) that a DLL
is changed. It can look like the copy below. Is that a normal DLL change or
something fixed by malware? (se below)

Morgan O.
----------------------------------------------------------

The new DLLs have been loaded:
C:\PROGRAM\JAVA\JRE1.5.0_04\BIN\NET.DLL

To disable DLL Authentication go to the security tab under the Tools,
Options menu.

File Version : 1.0.6.0
File Description : Firefox
File Path : D:\Program\Firefox\firefox.exe
Process ID : 0xFFF33335 (Heximal) 4294128437 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 83.248.52.34
Local Port : 3506
Remote Name : www.comhem.se
Remote Address : 194.237.212.165
Remote Port : 80 (HTTP - World Wide Web)

Ethernet packet details:
Ethernet II (Packet Length: 56)
Destination: 00-0f-90-27-75-ce
Source: 00-50-fc-69-9d-ee
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 128
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x28e3 (Correct)
Source: 83.248.52.34
Destination: 194.237.212.165
Transmission Control Protocol (TCP)
Source port: 3506
Destination port: 80
Sequence number: 244993017
Acknowledgment number: 3830526872
Header length: 20
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...1 = Fin: Set
Checksum: 0x3eef (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 0F 90 27 75 CE 00 50 : FC 69 9D EE 08 00 45 00 | ...'u..P.i....E.
0010: 00 28 F7 F9 40 00 80 06 : E3 28 53 F8 34 22 C2 ED | .(..@....(S.4"..
0020: D4 A5 0D B2 00 50 0E 9A : 4B F9 E4 51 33 98 50 11 | .....P..K..Q3.P.
0030: 20 68 EF 3E 00 00 69 76 : | h.>..iv
---------------------------------------------- end
.

---

• Prev by Date: Re: On Installing Windows
• Next by Date: Re: HELP PLEASE !! Browser Problem
• Previous by thread: HELP PLEASE !! Browser Problem
• Next by thread: Re: DLL changes - normal or malware driven?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Application, dll and driver design ... How big can semaphore "lMaximumCount" can be. ... > But there is one problem with replacing window messages with packet reading ... I have 15 processes all talking to each other and Dll process. ... (microsoft.public.win32.programmer.ui) Re: Application, dll and driver design ... But there is one problem with replacing window messages with packet reading ... I have 15 processes all talking to each other and Dll process. ... > each app that blocks while trying to read from the shared buffer of ... (microsoft.public.win32.programmer.ui) Re: SIMH V3.0-0 released ... > Ok, it is looking for the packet.dll, but I have that dll installed... ... looking for the "packet" file WITHOUT the .DLL suffix. ... If you dump the VAX.EXE with your favourite HEX dump program, ... Go back and look at an old build of SIMH and you'll see it has these ... (comp.os.vms) Windows Service ... packet from a remote node and checks the header. ... This process is now part of dll and when a application registers ... Sounds like something similar is done with a "Windows service". ... I have Jeffrey Richter book, ... (microsoft.public.win32.programmer.ui)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)