wormed!

This is how I found out that I got wormed!
I'm not very sure what worm but I roughly guesing that it's sasser. Sigh.. a day after setting up my pc back and running auto-update and my boxen is infected by sasser. I'm running Windows XP Pro with Service Pack 2 btw.

The Good and the Bad
The good thing about service pack 2 is that there is now alimit of concurrent TCP connection that a machine can make. While this totally sucks for P2P, this is good to prevent mass broadcasting worms/ viruses/ spywares from trying to infect other machines in your network. Keeping the spread to minimum.

Symptoms
My machine would behave normal few seconds after Xp starting and totally fucked up seconds after.. I can't get any web traffic so the first thing I suspect was TMNET sucking again. So I tried to access my router's web gui to reconnect to the ISP and found that I'm not able to do that or half the time the respond is very very slow.

My NIC (Network Interface Card) fucking up? Checked event log and found no hardware errors registered but something caught my eyes instantly. An error saying "TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts".. hmm suspicious, suspicious...

Somehow I manged to get into my router's web gui few seconds after reboot and I saw in the outbound traffic log a lot of traffic to port 445 to arbitarary ip address my local network. Just random ip addresses in 192.168.xxx.xxx range.. where have I seen this before?

My heart immediately screams "Worm broadcasting packets!".. ok then we'll have to clean that up then. Load up that antivirus!

Next step
It was about time for me to head on to the office and I didn't have enough time to launch AVG full system scan. I'll do it tonight and continue this post of my finding.

-to be continued -