Background info:
My PC uses software firewalls, with protection level set to
medium-high (I'm paranoid). Connected to local campus network with
real IP. This campus network is hardware/router firewalled, so people
from 'outside' won't be able to scan our machines, but internal
machines can scan each other unless they are firewalled like me.

What happened:
This is just started since 1 or 2 days ago. When my PC was actively
accessing the Internet (especially when doing IRC chat), some
computers from my subnet start sending PING (ICMP) request to me,
which weren't replied because of my firewall. It's not from 1 or 2
computers, but come from more than 20 different IP addresses. When I
stopped using the Internet (but still connected to network), the PINGs
stopped.

These PINGs are not often enough, so I don't think it is a DDoS
attacks. It's more like 1 PING for maybe every 2-3 minutes apart, but
everytime it came from different IP address within my subnet. I
scanned with GFI LanGuard, and they are usual machines of various
Windows.

My thinking is, someone (or something) in the network saw my traffic
and tried to enumerate me by sending PING Request with spoofed IP
sender. At first I was thinking that someone was able to put
backdoor/trojan on those IP addresses, yet my portscan results didn't
find something in common on those addresses. One interesting point is
that I have another PC connected to the same hub but belongs to
different subnet. This PC is actively use the Internet, yet no
incoming PINGs were detected.

So, my guess, maybe a worm infected one machine in that subnet, tried
to find shares/way to go to other PC in the subnet.

Now, what I want to ask is, what is that? I tried Virus Encyclopedias,
Google Search, Forums, etc and cannot find information about a
virus/trojan/worm that behaves like this. So, if someone would please
point me to the information. It can be as technical as possible, as
long as it explains atleast the virus behavior (the PING-ing) and it's
payload.

---

Request for Question Clarification by spot_tippybuttons-ga on 11 Sep 2002 14:34 PDT

Actually, there are a huge number of possibilities which may or may
not include viruses. A bit more information is needed before I can
provide you with a reliable answer.

First things first, does this happen only when you are logged in to
IRC (or shortly thereafter), or does it happen anytime, even if you
have not logged in to IRC? As well, are you connecting to a shared
campus IRC server, an external server, or are you running your own
hub? Odds are, the pings are IRC related. It is normal to get pings
from the IRC server and from other hosts logged into the same channel.

The packets could also be faulty idents depending on how your firewall
is set up.

Secondly, is your internet connection through an external connection?
(i.e. separate from your LAN connection). Your post made it seem like
it is.

If this is the case, you may want to try to get access to another PC
on the same subnet and use a packet sniffer to see if the incoming
ICMP packets are really from your subnet. It is trivial to spoof an IP
header, so the "pings" from other machines on your subnet may not
really be; they may actually be spoofed.

---

Clarification of Question by robbienewbie-ga on 11 Sep 2002 20:45 PDT

- I am on edu connection, so I am accessing Internet via campus
network.
- The campus housing is provided with two network jacks on each room.
- I have two PCs plugged in to those jacks, and the DHCP server gives
me two IPs that belongs to separate networks. However, they are still
in the same collision and broadcast domains.
- Those two PCs are similarly configured, with personal firewall and
such
- I connected both PCs to the same IRC server, using the same IRC
client, yet only the 1st machine got PING-ed from various PC in its
subnets, then 2nd machine is left untouched.
- I left the IRC client connected all day, and the PING-ing exists
continuously. I don't think those PC will be connected to IRC all the
time. Also, I am not using the 'popular' IRC server in here, so it is
unlikely that they are in the same server as me. I am connected to ETG
server.
- Without IRC, my PC didn't create any noticeable traffic
- The incoming packets are ICMP Requests, not Ident/Finger or other
port scan. Some NetBIOS Session message appeared, but rare.
- I am using this IRC server for months now, and these PINGs appeared
about 1-2 days ago.
- As I'm writing this, the PINGs activity somehow stopped. I didn't
do/change anything with my systems.
- I was thinking this was a new virus/worm with 9/11 related payload.

---

Clarification of Question by robbienewbie-ga on 11 Sep 2002 20:57 PDT

Correction, I 'spoke' too soon.. :)
The PING-ing continues, but less often than usual.

---

Request for Question Clarification by spot_tippybuttons-ga on 11 Sep 2002 23:00 PDT

There are so many existing viruses that ping even if it is a virus, it
may or may not be a new one.

It could be a variant of the W95/Firkin.worm which is a few years old.
Many, many old viruses run rampant on college campuses. You can read
more about W95/Firkin.worm at
http://vil.nai.com/vil/content/v_98557.htm

If you are concerned, see if you can get in contact with one of the IP
address owners or your campus system administrator and have them run a
virus scan. If you're really paranoid, try a heuristics scan. A
heuristics scan will often turn up even unknown viruses although it
can also generate many false positives.

Hope this helps.

---

Clarification of Question by robbienewbie-ga on 12 Sep 2002 09:42 PDT

Thank you! That's the first time I see the info. Must be a hell on
searching the info in the database.. :)

I was asking the question because I wasn't patient enough to browse
one by one, and I was assuming that it was a new virus. How did you
find this anyway? Hours of browsing? :)

I am paranoid, so I protected myself with layers of security and
updates. For this case, I wasn't worry if someone tried to hack or a
worm tried to own me, but I was just curious. I usually ignored port
scan and such, but this is just too wierd.. :)

Anyway, I am about 75% happy with the answer, but accepted it because
it answered my request. You may post it as an answer. If possible, I
would like to see more links or virus names to satisfy my curiosity.

Thank you for your time!

Firkin itself represents a small class of virus/worms. There are at
least four known distinct varieties. Firkin variants appear under a
variety of other names including 911 Share Virus, Bat/911,
Bat/Chode.worm, Chode, 911, Worm_Firkin, Worm.Firkin and Foreskin.

Firkin
http://www.europe.f-secure.com/v-descs/firkin.shtml

"911 Emergency" by Costin Raiu
Virus Bulletin, May 2000
http://www.virusbtn.com/magazine/archives/pdf/2000/200005.PDF


Another common virus that pings random addresses within a subnet is
known as Sorry. Sorry is a VBScript virus. Sorry, like Firkin, appears
under many different names and has several variants of its own. Sorry
and its variants are also known as Mcon, Pica.worm.gen, VBS_MCON,
VBS_MCON.V04, VBS_TTFLOADER, and Ttfloader. Sorry spreads through open
network shares and mIRC.

Mcon.A
http://www.europe.f-secure.com/v-descs/mcon.shtml

VBS/Sorry.a  
http://vil.nai.com/vil/content/v_98937.htm

VBS/Sorry.a  
http://securityresponse.symantec.com/avcenter/venc/data/vbs.sorry.a.html


There are, of course, other viruses that ping, but the majority of
these ping specific destinations in an attempt to launch a distributed
denial of service attack. One of the better known of these type
viruses is called Papa. Papa is a macro virus modeled after the famous
Melissa virus, but seemingly not by the same author. Papa repeatedly
attempts to ping several systems in an attempt to harass Dr. Fred
Cohen, owner of the software security firm Fred Cohen & Associates.
There are also several similar viruses that ping Microsoft.

X97M.Papa.B
http://securityresponse.symantec.com/avcenter/venc/data/x97m.papa.b.html

Papa
http://www.europe.f-secure.com/v-descs/papa.shtml


Both Firkin and Sorry (and their variants) can be detected by most of
the current anti-virus software. Here is a brief list of vendors that
supply anti-virus software for a variety of platforms:

Symantec
http://www.symantec.com/

McAfee
http://www.mcafee.com/

Trend Micro
http://www.trendmicro.com/

F-Secure
http://www.F-Secure.com/

Sophos Anti-Virus
http://www.sophos.com/

Normon
http://www.norman.com/

Kaspersky
http://www.avp.ch/


If you run a virus scan and don't find anything, but you still feel
that there is something suspicious going on that might be a new,
unknown virus, contact the manufacturer of your anti-virus software.
Most anti-virus companies have means for collecting viruses "in the
wild" from customers. Your software manufacturer will be able to
provide you with the necessary tools and instructions to "quarantine"
the virus.

By running a firewall, you are already doing a very smart thing to
protect your computer. Running anti-virus scans regularly and not
opening e-mail attachments that you are not expecting are other good
ways to help keep your computer safe. As always, you should also
back-up your computer regularly.

While I am by no means suggesting that you should ignore any possible
security violation, there is a certain amount of "noise" on the
Internet. For example, I run a small OS/2 server, which, obviously, it
isn't vulnerable to Windows/IIS exploits. Just on a lark while writing
this, I checked my logs to see how many illegal access attempts there
were recently. This week alone, there were 11 failed attempts by Code
Red infected servers to break into my box. I run a firewall on my DSL
line at home and I can see that I get port scanned by hack tools on
all the lower ports at least several times a week. This is on top of
all of the "normal" stray ip traffic I get. Anyway, the point is, keep
an eye out and do what you need to do to protect yourself, but don't
lose too much sleep over stray traffic. You've done 100% the right
thing by setting up a firewall, and you sound like you are a very
diligent network user.

The other thing you can do to protect yourself, which I do myself, is
make a disk image of your drive and store it to a CD-ROM (or, most
likely, several CD-ROMS). If you are ever concerned that your system
may have been hacked or infected by a virus, run a file comparison
utility (such as diff or WinDiff) on the files on the drive against
the files on the CD. If something has changed that shouldn't have,
then you know you have problem.

Seriously, you should contact your system administrator as well. Your
sys admin may already know the cause, and if not, should be able to
perform some network diagnostics... after all, its in your
administrator's best interests as much as yours to make sure there is
nothing fishy on the network.

Good luck!


Search Strategy:
computer virus database
://www.google.com/search?q=computer+virus+database&hl=en&lr=&ie=ISO-8859-1

Individually searched/reviewed virus databases returned by Google
results.

What google itself can't deliver, spot_tippybuttons does! 
Delivered my request, and so much more. Thank you! :)