Greetings to all, this morning one of office computers presented an eset notification message: "Address has been blocked URL address: "peradjoka.t35.com/COMPUTER_NAME/1.rar IP address: 66.45.237.219:80" It repeated until restart. There are no logs of this event in log window. What to do?
It could be an infection of an Autoit malware. Older variants were located here: c:\Win\lsass.exe When you find it submit it if it is undetected.
If the file c:\Win\lsass.exe is not detected, locate it on the disk and send it in an archive protected with the password "infected" to samples[at]eset.sk
I just checked out the url in question and as was reported, ESS blocks this website, meaning the pc didn't connect to the site, therefore no chance of infection. (Networks connection view in ESS and my own Tcp Viewer confirm this...no connection). So no need to worry
No, c:\Win\lsass.exe does not exist. What I am worried about is that computer was in state in which ESET continuously popped notification window, as if something from the comp. repeatedly tried to connect to that IP address. And I could not find that "something". The event occurred right after switching on that computer. EDIT: found standard lsass file in system32 (WIN XP Pro SP3). Sent them to samples[at]eset.sk.
Hello, If you issue a "netstat -b -f" command at the Command Prompt (filename: CMD.EXE), does it show which program is attempting to access the Internet host in question? Regards, Aryeh Goretsky
Good morning. I just issued "netstat -b" and found no suspicious connections. I will try again if I see mentioned notification again.
Indeed there is a record in the registry referring to the malware: Important Registry Entries - Standard Autostart --"Key" = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" ( 5: Unknown ) ; --- "run32" = "C:\Win\lsass.exe" ( 5: Unknown ) ; Right click to it in SysInspector, choose "Open in RegEdit" and delete the run32 record.