The following domains and IPs are currently being used as C&C servers by the Medfos family of trojans (this one in particular):
84.32.116.110
85.25.132.55
173.224.210.244
184.82.62.16
188.95.48.152
ehistats.su
emstats.su
ieguards.su
iestats.cc
inetprotections.su
iprotections.su
netprotections.cc
sysinfo.cc
sysinfonet.cc
westats.cc
The hosts involved are:
84.32.116.110 (LIX Solutions, Lithunia)
85.25.132.55 (Intergenia / PlusServer AG, Germany)
173.224.210.244 (Psychz Networks, US)
184.82.62.16 (HostNOC, US)
188.95.48.152 (Globab Layer, Netherlands)
The domains listed are used in conjunction with hundreds of subdomains. Blocking the main domain will be the best approach, else the ones that I have been able to determine are listed here.
4 comments:
Thanks for this, my K9 web protection first picked up attempts to connect to these domains (and was blocking them as they were classified as "suspicious"). A Google search brought me here. Really helpful. Unfortunately and the links to Microsoft to use the Microsoft safety scanner - which assured me it removed them - but the computer is still trying to connect :(
If you recommend any other removal tool then do let me know.
Kind regards
John
@bobbathejobba - this malware injects itself as a rogue .dll into HKEY_LOCAL_MACHINE\Software\Microsoft\Current Version\Run and HKEY_CURRENT_USER\Software\Microsoft\Current Version\Run in the registry (values are randomly generated but it should be easy to stop). The trick is that when the computer shuts down then it re-writes itself into the registry. Try deleting the reg entry and then killing the power cold, that should stop it reinjecting itself. (Your mileage may vary though..)
Hi Conrad,
I believe the malware you've identified isn't Medfos, but is instead known as Shylock of Caphaw by most anti-virus vendors.
Thanks,
Tom
Thanks Conrad. Was in HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run and was disguising itself as a flash player app - which explains why flash had stopped working in FireFox. Removed it in safe mode and seems fine now...famous last words!
Thanks again.
Post a Comment