altangerel

Hi all, Where does ESET RA server download virus signature updates? Our server tries to connect to tsm02.eset.com domain (91.228.166.143, 91.228.166.11) over HTTP, but snort identifies these connection as a malware-cnc RAT update. We tried to investigate the cause of that problem, and found some suspicious things in the HTTP post data. There is possible bot update command: hxxp://fast.onoodor.com:443/update?id=ff64a2f9 in post data. Anyone know about this? Regards, Altangerel

Dears, We were notified that our some client PC tries to connect a malware domain, which is airforce.rr.nu. We examined client pc and found that a process named ekrn.exe is trying to connect to that domain. Is there any legal operation that connects to airforce.rr.nu in Nod32? Regards, Altangerel network_mon.bmp

Hi Marcos, Log entry is below: Startup scanner file Operating memory » svchost.exe(1616) a variant of Win32/Korplug.A trojan unable to clean