Re: DNS calls to Ukraine destinations



MowGreen wrote:
Dan,

Still haven't heard from Gary yet. If the malware is not a RootKit then we'll get that link posted here. If it is an RK, then we'll have to take this to a private thread to block RK writers from observing which tool and version is used to remove it. That's what it's come down to lately.
But if Gary ever contacts us, we'll have him provide you with any info you need.
Hope you understand ;)

MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============


Dan wrote:
MowGreen wrote:
the ISA logs show this machine making repeated calls on DNS protocol, port 53, to two different IPs that belong to a web hosting company in the Ukraine. I can't help but think that this is malware in action, but can't determine what is doing it.

Gary,

As long as you can keep the malware blocked, post the log to the HijackThis Forum at AumHa:
http://aumha.net/viewforum.php?f=30

We'll call in the "Experts" if need be and at least identify the malware, the risk from it, and who's hosting it.

I'll BCC this. Email me when you post the HJT log and please, provide us with the IPs, too.


MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============


Gary S. Terhune wrote:
I have an XP Pro box on an SBS network (one SBS Premium server w/ ISA 2004,
two XP Pro clients.) The box was heavily infected by numerous viruses and
other malware on 9/11. Issues with antivirus installation resulted in its
not updating for some time, but I'm not certain just how it all got started.
Far as I can tell, none of it got to any of the other machines on the
network,

I cleaned up using various AV and anti-spyware tools (AdAware, Spybot,
Trend-Micro AV) and it seems to be healthy now, but the ISA logs show this
machine making repeated calls on DNS protocol, port 53, to two different IPs
that belong to a web hosting company in the Ukraine. I can't help but think
that this is malware in action, but can't determine what is doing it. The
ISA firewall is blocking the requests, but I'd like to know what's going on.
Any ideas on how to trace this? I can't find anything in running processes
that isn't supposed to be there. Note that these calls are being made even
when nobody is logged on to the machine. They're averaging one per second.


Well, I hope Gary will provide the link to the HiJack This website in this newsgroup so that other users like me can see what potential malware is in the HiJack This log. Gary, if you do not want to post here then you know my email and please email me where you posted the Hijack This log and thanks in advance because I appreciate all you do for these newsgroups.

Sure, I fully understand and thank you for your consideration. I find the security aspect of computers fascinating. <grin>
.



Relevant Pages

  • Re: DNS calls to Ukraine destinations
    ... to two different IPs that belong to a web hosting company in the Ukraine. ... I can't help but think that this is malware in action, but can't determine what is doing it. ... Email me when you post the HJT log and please, provide us with the IPs, too. ...
    (microsoft.public.security.virus)
  • Re: DNS calls to Ukraine destinations
    ... to two different IPs that belong to a web hosting company in the Ukraine. ... I can't help but think that this is malware in action, but can't determine what is doing it. ...
    (microsoft.public.security.virus)
  • Re: DNS calls to Ukraine destinations
    ... protocol, port 53, to two different IPs that belong to a web hosting company in the Ukraine. ... I can't help but think that this is malware in action, but can't determine what is doing it. ... Email me when you post the HJT log and please, provide us with the IPs, too. ... if you do not want to post here then you know my email and please email me where you posted the Hijack This log and thanks in advance because I appreciate all you do for these newsgroups. ...
    (microsoft.public.security.virus)
  • RE: Need Help to protect against spammer
    ... seems a bit suspicious that there is nothing on the internet about Korolev ... malware embedded in the Windows Expand.exe. ... Fortunately ISA is blocking this pattern that occurs probably three or four ... pattern recurs so frequently and so my question is, ...
    (microsoft.public.windows.server.sbs)
  • Re: Malware doesnt let go
    ... Some of this malware is particularly odious. ... Have you checked your Startup settings? ... below is the hijack log. ... > Files\Microsoft Firewall Client\ISATRAY.EXE ...
    (microsoft.public.windowsxp.general)