Greetings to all,

this morning one of office computers presented an eset notification message:

"Address has been blocked
URL address:
"peradjoka.t35.com/COMPUTER_NAME/1.rar
IP address:
66.45.237.219:80"

It repeated until restart.

There are no logs of this event in log window.

What to do?

It could be an infection of an Autoit malware.
Older variants were located here:
c:\Win\lsass.exe
When you find it submit it if it is undetected.

But there was nothing to submit..

Logs are clear.

Scaning showed no threats.

If the file c:\Win\lsass.exe is not detected, locate it on the disk and send it in an archive protected with the password "infected" to samples[at]eset.sk

I just checked out the url in question and as was reported, ESS blocks this website, meaning the pc didn't connect to the site, therefore no chance of infection. (Networks connection view in ESS and my own Tcp Viewer confirm this...no connection). So no need to worry :)

What about c:\Win\lsass.exe that I've asked you to check if it actually exists on the disk?

No, c:\Win\lsass.exe does not exist.

What I am worried about is that computer was in state in which ESET continuously popped notification window, as if something from the comp. repeatedly tried to connect to that IP address.

And I could not find that "something".

The event occurred right after switching on that computer.

EDIT: found standard lsass file in system32 (WIN XP Pro SP3). Sent them to samples[at]eset.sk.

Perhaps you would like to create a SysInspector log and send it for exemple to Marcos?

Yes, I'd like to, but not until tomorrow.

Work day is over.

Marcos, any new ideas?

Hello,

If you issue a "netstat -b -f" command at the Command Prompt (filename: CMD.EXE), does it show which program is attempting to access the Internet host in question?

Regards,

Aryeh Goretsky

-{ Quote: "Hello,

If you issue a "netstat -b -f" command at the Command Prompt (filename: CMD.EXE), does it show which program is attempting to access the Internet host in question?

Regards,

Aryeh Goretsky" }-

Good morning.

I just issued "netstat -b" and found no suspicious connections.

I will try again if I see mentioned notification again.

@Marcos:

Can I send you somehow SysInspector log?

Send it to samples[at]eset.com with this thread's url in the subject please.

Sent.

Thx.

Indeed there is a record in the registry referring to the malware:
Important Registry Entries
- Standard Autostart
--"Key" = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" ( 5: Unknown ) ;
--- "run32" = "C:\Win\lsass.exe" ( 5: Unknown ) ;

Right click to it in SysInspector, choose "Open in RegEdit" and delete the run32 record.

Done.

Thx very much.

I'll keep observing that computer.