[ESET update and Suspicious HTTP post data]

Hi all,

 

Where does ESET RA server download virus signature updates? Our server tries to connect to tsm02.eset.com domain (91.228.166.143, 91.228.166.11) over HTTP, but snort identifies these connection as a malware-cnc RAT update. We tried to investigate the cause of that problem, and found some suspicious things in the HTTP post data. There is possible bot update command: hxxp://fast.onoodor.com:443/update?id=ff64a2f9 in post data. Anyone know about this?

 

Regards,

Altangerel

[ekrn.exe process tries to connect a malware domain]

Dears,

 

We were notified that our some client PC tries to connect a malware domain, which is airforce.rr.nu. We examined client pc and found that a process named ekrn.exe is trying to connect to that domain.

Is there any legal operation that connects to airforce.rr.nu in Nod32?

 

Regards,

Altangerel

network_mon.bmp

[How to remove Korplug.A trojan]

Hi Marcos,

 

Log entry is below:

 

Startup scanner    file    Operating memory » svchost.exe(1616)    a variant of Win32/Korplug.A trojan    unable to clean