0

I ran a netstat -a on a computer and there were a number of strange items:

   Proto  Local Address          Foreign Address        State
TCP    netgym:epmap           virusin:0              LISTENING
TCP    netgym:microsoft-ds    virusin:0              LISTENING
TCP    netgym:netbios-ssn     virusin:0              LISTENING

So I checked the hosts file and it's all mangled with weird stuff. Below is an exact copy of the hosts file minus about 100 more similar entries. Each address is truncated after 7 characters.

0.0.0.0 virusin
0.0.0.0 www.vir
0.0.0.0 project
0.0.0.0 www.pro
0.0.0.0 novirus
0.0.0.0 www.nov
0.0.0.0 www.ant
0.0.0.0 zeustra
0.0.0.0 www.zeu
0.0.0.0 www.mal

I didn't add any of these entries in hosts.

Anybody seen something like this before? Is this dangerous? Is there a way something redirecting to 0.0.0.0 could cause issues?

Edit: Additional INFO

I commented out the first line of the hosts file and now the foreign address my machine tries to go to is the third one down in the list: "project". Shouldn't all my services just go to localhost?

mattdm
  • 6,600
  • 1
  • 26
  • 48
JMC
  • 506
  • 6
  • 23

2 Answers2

2

One of the possible things malware might do is modify your hosts file, just as you are witnessing.

0.0.0.0 isn't a valid IP address (it's used in most TCP/IP APIs to mean any address). However, setting an entry in the hosts file to 0.0.0.0 is a way to make that website unreachable.

It looks like what you've pasted is cut off at the edge, so I can't tell for sure, but I suspect malware. If you try to go to the above addresses, your browser will timeout. This could be an attempt to prevent you from going to websites to download malware removal tools, or find out more information about it.

A legitimate program that modifies the hosts file is going to leave comments in the file and identify itself, which honestly is extremely rare. So, I'd assume this is some type of malware causing this.

LawrenceC
  • 1,202
  • 7
  • 14
  • I can't explain the weird TCP connections, though. – LawrenceC Dec 05 '10 at 20:36
  • Re: cut off addresses in hosts file, That is the strangest thing to me about all this. The addresses in the hosts file are mangled as show above. None of them are complete addresses. – JMC Dec 05 '10 at 20:39
  • +1 - I see what you're saying about the addresses in the host file possibly being there to keep me from downloading updates. Looks like the malware partially failed. – JMC Dec 05 '10 at 20:47
0

Anytime anything shows up in your hosts file that you didn't put there, I'd be very alarmed. I've seen infections that redirected a huge number of anti-virus update sites to 127.0.0.1, effectively cutting the user off from updates. This appears to be something similiar so I would immediately run virus/malware scans using a variety of tools as you are most likely infected with something.

MattC
  • 377
  • 1
  • 4
  • 11