network activity

kris
kris Posts: 38 Explorer

hello. today while i was browsing internet. i opened killswitch and observed a suspicious communication. aaadjukvdbqdavr.ru

i dont know what is this. is it legitimate or not. just 2 days back f-secure detected an autorun and win32/generic/sality.3 infections from my friend's usb drive. is it related to that? is my computer still infected? i rescanned few times after f-secure found infections in my friend's usb drive. all scans came clean. scanned with f-secure, mbam, and hitman pro. can it be considered as an infection?Untitled.jpg

 

aaadjukvdbqdavr.ru                        i also saw it in few more communications. including firefox and svchost.exe

Comments

  • NikK
    NikK Posts: 903 Forum Champion

    I agree it looks suspicious, and probably related to the sality.3 generic detection. What's strange in your screenshot is that this .ru address shows up as a local address instead of as a remote address. Don't know what that means, but this address has 2 detections on VirusTotal as a malicious site.

     

    Sality is the family name of a group of malware that is considered to be one of the most effective and complex malwares. Sality.3 probably indicates version 3 of this botnet. It sounds really nasty and the article mentions rootkit, peer-to-peer, infecting security-related processes, trojans that steal passwords and finacial data, that is uses digitally signed files to evade detection, spreading through removable drives and network shares partly with the help of autorun.inf files, installing keyloggers, injecting code into running processes, bypassing firewalls, preventing boot into safe mode etc Smiley Sad

     

    If it was my computer I would boot to a system repair disc and restore a full backup(system image) that re-formats the hard drive(s) first. And then disable autorun/autoplay so this doesn't happen again. And then scan any network shares for infections. The article mentions that for network shares some Sality variants drops a .tmp file and then a .lnk file to run the dropped virus.

     

    You could try "Microsoft Windows Malicious Software Removal Tool". This is the same tool that comes once a month with Windows Update but If I remember correctly you have an option to do a full scan with it. Sality is one of the listed "major virus and worm families" that this tool scans for. There's also "Microsoft Safety Scanner". More info here:

    http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fSality

  • NikK
    NikK Posts: 903 Forum Champion

    Microsoft claims their security software can remove Win32/Sality. In case the infection blocks you from running security software you could use "Windows Defender Offline". You should do this on a clean computer to create a bootable CD/DVD/USB and then boot into that media on the infected machine.

     

    I found a few other tools for example from AVG: "The tool will automatically scan all available discs and will try to heal the infected files." So I'd go with Microsoft on this one.

     

    F-Secure says this about W32/Sality:

    The detection name Virus:W32/Sality refers to a large family of viruses that infect executable files. Sality viruses are rather sophisticated in that they use an Entry Point Obscuration technique to hide their presence on the system.

    Once installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites and steal data from the infected machine.

    From: http://www.f-secure.com/v-descs/virus_w32_sality.shtml

  • kris
    kris Posts: 38 Explorer

    hello nikk. thanks for your rply. i tried msrt. but it doesnt detect anything. i also tried tdss killer, sality killer. but no result. i also full scanned with f-secure with advanced heuristics scan all files scan compressed files as i always do. but still no result. i opened support ticket. but up till now no fruitful solution. but as i was searching today. i found something. https://www.google.co.in/#q=aaadjukvdbqdavr.ru                      this shows 3rd result of fbi. which relates to zeus botnet. does it can be considered that this machine is infected with zeus trojan?

  • kris
    kris Posts: 38 Explorer

    also i am posting here a portion of rkill log.

    Checking HOSTS File:

     * HOSTS file entries found:

      127.0.0.1    aaadjukvdbqdavr.ru
      127.0.0.1    aaamuxwfcqrcjm.com
      127.0.0.1    aaayfilrkvfhewq.com
      127.0.0.1    aabihjlxdxbll.com
      127.0.0.1    aacbqhitnujox.net
      127.0.0.1    aacckdwujngcii.com
      127.0.0.1    aadjsbkprnuu.org
      127.0.0.1    aafvepicmynd.org
      127.0.0.1    aagbhmcrihcre.info
      127.0.0.1    aagpvagmstrirl.org
      127.0.0.1    aahdtqbieitq.org
      127.0.0.1    aaivssmneicnwv.org
      127.0.0.1    aaktyhnutlcod.co.uk
      127.0.0.1    aamsryetvoymnt.biz
      127.0.0.1    aaobbyoaenumvgh.co.uk
      127.0.0.1    aapahckoiogpnea.info
      127.0.0.1    aapikkbctgmn.org
      127.0.0.1    aaqoyqxgpadmtlb.info
      127.0.0.1    aaqwtjexynwfnbt.co.uk
      127.0.0.1    aaroqaxlbgfml.ru

      20 out of 15010 HOSTS entries shown.
      Please review HOSTS file for further entries.

    Program finished at: 06/03/2014 06:04:26 PM
    Execution time: 0 hours(s), 3 minute(s), and 5 seconds(s)

     


    i dont know what this mean. but i am almost sure that this is unsusal.

  • NikK
    NikK Posts: 903 Forum Champion

    Your HOSTS file actually explains why this .ru address showed up as a local address instead of a remote when you used killswitch. I can't see anything harmful with the entries in the HOSTS file. Entries like these can actually be used to block your computer from accessing these sites. If you(or any program) tries to access any of the sites listed in the HOSTS file, it'll be redirected to your local computer instead. See example here: http://winhelp2002.mvps.org/hosts.htm

    How did you get this HOSTS file? You can check its creation, modified date etc for clues.

     

    I'm no expert in malware but I think if malware modifies the HOSTS file it's more likely that it will block access to security related sites or redirect to fake sites. 

     

    Good that all scans came up clean. If you suspect Gameover Zeus infection you could try this new tool from Symantec:

    http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network

     

    If you want to investigate your computer a little deeper with multi-scanning:

    http://community.f-secure.com/t5/Security/How-to-easily-scan-all-processes/m-p/43599

    (for example processes in purple are packed/obfuscated which is not normal for most programs)

     

    How to find malicious processes (what signs to look for):

    http://www.microsoft.com/security/sir/strategy/default.aspx#!malwarecleaning

This discussion has been closed.
Feedback on New Design