Jump to content


Photo

Strange file trying to access internet


  • Please log in to reply
1 reply to this topic

#1 Qb_Master

Qb_Master

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 01 April 2012 - 09:32 AM

While reading a book, I look up and notice my firewall asking me permission to allow a program to access the Internet. The program had a description of "Torrent", and a filename of 0.7194047411186524.exe. I checked my processes, and sure enough, this odd looking process was running from "c:\documents and settings\qb_master\appdata\local\temp\". It was trying to connect to the IP address 81.177.160.186, local port 58684, remote port 80. After WHOIS'ing the IP address, it pointed to the organization OJSC RTComm.RU, in Russia, which is apparently a hosting service.

I obtained a copy of the file, and uploaded it to virustotal.com (as well as made a copy of it in an encrypted RAR archive for later research), which had a detection rate of 6/42. I downloaded a trial version of VIPRE, one of the 6 which found the file to be a virus, and am running a scan now. Upon selecting the executable, the active virus scanner returns information about the file, stating that the application is named "Torrent" as mentioned above, the company is listed as "the Torrent Team", and the version is 11.00.

https://www.virustot...sis/1333291299/ this is the result of the virustotal scan.

McAfee-GW-Edition Heuristic.BehavesLike.Win32.Downloader.A 20120401
NOD32 a variant of Win32/Injector.MKP 20120401
Panda Suspicious file 20120401
TheHacker Posible_Worm32 20120401
VBA32 SScope.Trojan.VBRA.3878 20120330
VIPRE Trojan.Win32.Generic.pak!cobra 20120401

Firewall detection:
Posted Image

VIPRE detecting my copy of the executable in c:\tmp\:
Posted Image

I could upload the file itself, encrypted in a rar archive. However, I'm not going to do that unless specifically asked to :p.

I'd like to find out what this file is, how it got on here, why it's trying to access a hosting service in Russia, why it has the name Torrent, etc..
-Moreover, I want to find out if there's good reason to believe there may be a RAT or other type of trojan lying on here, and if my security is compromised as a result.

#2 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,431 posts

Posted 01 April 2012 - 10:19 AM

Please read the Instructions and post a topic in Malware Removal to get help with this problem... http://www.spywarein...showtopic=79038
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"




Member of ASAP and UNITE
Support SpywareInfo Forum - click the button