# Suspicious NetBios Name Service traffic

malwarenetbiosnetwork trafficnetworking

A friend of mine recently complained about the very bad performance of the Internet connection over her family's LAN. Apparently the Internet connection worked normal most of the time but certain websites (Facebook for example) performed very badly and sometimes didn't work at all. Additionally, there seemed to be a massive overall drop of performance every evening which rendered the Internet nearly unusable.

Curious about the cause of these problems I monitored the network traffic visible to my machine for a while and discovered some suspicious traffic. Every minute a Windows 7 host broadcasted 12 NetBios Name Service packets (one packet/second) apparently asking for an ancient Windows XP machine that gets connected to the LAN (and Internet…) evey now and then. The packets looked like this:

12:52:37.567533 IP (tos 0x0, ttl 128, id 17406, offset 0, flags [none], proto UDP (17), length 78)
192.168.0.2.netbios-ns > 192.168.0.255.netbios-ns: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
TrnID=0xBC60
OpCode=0
NmFlags=0x11
Rcode=0
QueryCount=1