# Legitimate or hack attempt on SAVRoam.exe?



## webtech (Jun 20, 2005)

I've been getting a couple of weird remote connections to SAVroam.exe on various ports in the last few days. (Symantec Antivirus Roaming)
I cannot figure out if this is legitimate traffic or trojans. From what I could gather it is the latter...I don't like traffic from Beijing...

After I blocked the first attempt (from 222.136.251.113), I got another one from an IP in the same range (222.189.38.30). I then decided to block the whole range (inetnum) . That didn't help much as I got another one...from 61.152.158.111, Here is some details of the last "attack". 

ZoneAlarm alert:

*SAVRoam wants to accept connections from the Internet or your local network*

Program Name SAVRoam 
Filename SavRoam.exe 
Program Version 9.0.3.1000 
Program Size 153416 
Program MD5 4189f954fd79b7a0034e218f879d17a3 
Date Modified Dec-30-2004 02:19:36 PM 
Connect Type Server
Local Port 59009 
Remote IP Address 61.152.158.111 
Alert Date Jun-19-2005 03:18:42 PM PDT

Whois Information	

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 61.152.156.0 - 61.152.159.255
netname: SHANGHAI-GLOBAL-NET
descr: Shanghai Global Network Co., Ltd.
...

I removed the trojan - TrojanDownloader.Small.my - today, don't know if there is any connection...
I also posted more details in my Blog  about this incident.

Thx in advance


----------



## Terrister (Apr 18, 2005)

Savroam appears to be a legit file. It is part of Norton Antivirus. 

It is odd it is trying to talk to a computer in China. I would do an online virus scan to make sure you are virus free. Norton has missed some viruses that some of the others can find and clean. Please try the Trend Micro virus scan below in my sig. It is free and can find any viruses Norton may have missed. Also a Spybot and Ad-aware scan would be a good idea. The download trojan downloads viruses and spyware into infected systems.


----------



## johnwill (Sep 26, 2002)

I'd suspect something has been compromised if it's trying to contact unknown websites, that's certainly not normal.


----------



## webtech (Jun 20, 2005)

*Found more trojans*

Hi

Thanks for your replies. I did another Spyware and Virus scan as suggested.
Below is my Reports. Haven't had another alert since then.
Seems the culprit was on of these virusesses / trojans.
Ewido is very good, just takes very long on a full scan (3.5 hours !)

Still need to block my open ports, I have my doubts with ZoneAlarm ...

*Activescan Report:*

Incident Status Location 

Adware:Adware/Gator No disinfected Windows Registry 
Adware:Adware/MyWay No disinfected C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL 
Adware:Adware/FlashTrack No disinfected C:\PROGRA~1\FlashGet\jccatch.dll 
Adware:Adware/WUpd No disinfected Windows Registry  
Virus:VBS/Redlof.A No disinfected C:\downloads\TM Templates\4751.rar[FOLDER.HTT] 

*Ewido Report:*

+ Scan result:
C:\ACE Mega CoDecS Pack\gain.exe -> Spyware.Gator -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{FA3BC0F6-D76E-4DC9-8FC1-B541E7B76885}\RP112\A0062818.exe -> TrojanDownloader.Dyfuca.dx -> Cleaned with backup
C:\System Volume Information\_restore{FA3BC0F6-D76E-4DC9-8FC1-B541E7B76885}\RP112\A0062819.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\System Volume Information\_restore{FA3BC0F6-D76E-4DC9-8FC1-B541E7B76885}\RP112\A0062823.exe -> Spyware.WinAD -> Cleaned with backup
C:\System Volume Information\_restore{FA3BC0F6-D76E-4DC9-8FC1-B541E7B76885}\RP112\A0062824.exe -> Spyware.WinAD -> Cleaned with backup
C:\System Volume Information\_restore{FA3BC0F6-D76E-4DC9-8FC1-B541E7B76885}\RP112\A0062825.dll -> Spyware.WinAD.ag -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD -> Cleaned with backup
C:\WINDOWS\system32\adv12.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINDOWS\system32\dload.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINDOWS\system32\gain.exe -> Spyware.Gator -> Cleaned with backup


----------



## Terrister (Apr 18, 2005)

Did this stop your computer talking to China?


----------



## webtech (Jun 20, 2005)

Yes it looks like it. I haven't had any alerts so far related to Savroam.
Had some others though which was probably port scans.

Think we can close this thread...

Thanks !

ps - here is $25 Webcash for your help. Hope you can use it @ Target or some store...I can't cause I'm in South Africa.


----------

