Re: Odd windows ICMP... any ideas what this is?

From: Jonathan Clark (jon_clarkat_private)
Date: Mon Jun 09 2003 - 11:01:54 PDT

Next message: David Gillett: "RE: strange traffic on UDP port 53"

Previous message: Paul Wilson: "Re: Strange CONNECT entries in apache logs"
Maybe in reply to: ted klugman: "Odd windows ICMP... any ideas what this is?"
Next in thread: Ryan Yagatich: "Re: Odd windows ICMP... any ideas what this is?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have come across this before as well.  This is not unusual traffic for a 
Win2k environment.  It's a windows client doing a speed test of its network 
connection to determine if a group policy should be applied or a roaming 
profile downloaded.    I saw these large ICMP packets containing that JPEG 
mostly from dial-up users who have slower connections, and always three in a 
row.    The JPEG, if you haven't already looked at it, is a picture of the 
word "Microsoft" and it's incomplete.

For information on this, check Microsoft knowledgebase article 227260 
(http://support.microsoft.com/?id=227260).

- Jonathan

>
>
>Our IDS has been reporting some large ICMP packets on
>our internal network. Our internal network is a
>Windows2000 domain -- servers and clients.
>
>- Packet size is always 2090 bytes
>- Almost always sent from a client or member server to
>one of the two boxes running Active Directory
>- The ping payload itself is actually a JPEG of the
>Microsoft logo. This JPEG can actually be found inside
>userenv.dll.
>
>I googled for any details, and I see that others have
>run into this before. However, there were no answers,
>just questions. See these two links for identical
>packets:
>
>http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html
>
>http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.html
>
>
>Anyone else seen these? Any idea what's causing them?
>Is this 'normal' behavior on a W2K network?
>
>Other than the fact that they are relatively large
>ICMP packets, they don't appear to be malicious in any
>way. There is no other malicious traffic seen on our
>network.
>
>TIA.
>
>-TedK
>
>__________________________________
>Do you Yahoo!?
>Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
>http://calendar.yahoo.com
>
>----------------------------------------------------------------------------
>----------------------------------------------------------------------------
>
>
><< smime.p7s >>

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus


----------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: David Gillett: "RE: strange traffic on UDP port 53"
Previous message: Paul Wilson: "Re: Strange CONNECT entries in apache logs"
Maybe in reply to: ted klugman: "Odd windows ICMP... any ideas what this is?"
Next in thread: Ryan Yagatich: "Re: Odd windows ICMP... any ideas what this is?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 10 2003 - 13:01:14 PDT