.rserv wants to connect to cuojshtbohnt.com

@TopperHarley

This just in. Intego agrees with us:

it can be risky to follow instructions presented on some websites about removing it. As the most recent versions of the Flashback malware use random four-character names for files they place in the /tmp folder, you cannot know, simply by looking at these file names, if a file is valid or if it is malware. Deleting files manually, because you think they are malicious, may lead to system problems or instability.

Complete article is here.

<rant>Wow, thanks Apple, for not updating Java quickly enough and making me enjoy my first Mac malware infection! Thanks for making me waste 2 hours to figure it out and clean up.</rant>

On the subject:

As other people, I was infected by the ".flvserv" variant of the malware ("Flashback.K") which tried to contact the domain "vXvhWcIxCxqXd.com" in order to load the payload. It was loaded by ~/Library/LaunchAgents/com.adobe.flp.plist.

This guide helped me clear my system of it:

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

I found a similar/same infection today. Not sure how to use this post system so bear with me.

Had a LS hit for vxvhwcixcxqxd.com today. Traced the process to: /Users/myusername/.sunupdate

A search on the domain led me here. Original file date was 28 March 2012. Permissions are the same as others have seen. The plist file content is the same with the name changed to: ~/Library/LaunchAgents/com.sun.update

Sent the .sunupdate binary to virustotal: DrWeb= BackDoor.Flashback.39 NOD32=a variant of OSX/Flashback.K all others came up blank

The domain resolves to: 91.233.244.102

Whois Results For:

VXVHWCIXCXQXD.COM

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered

with many different competing registrars. Go to http://www.internic.net

for detailed information.

Domain Name: VXVHWCIXCXQXD.COM

Registrar: DOMAINCONTEXT, INC.

Whois Server: whois.domaincontext.com

Referral URL: http://www.domaincontext.com

Name Server: DNS1.WEBDRIVE.RU

Name Server: DNS2.WEBDRIVE.RU

Status: clientTransferProhibited

Updated Date: 03-apr-2012

Creation Date: 03-apr-2012

Expiration Date: 03-apr-2013

>>> Last update of whois database: Tue, 03 Apr 2012 23:10:48 UTC <<<

Running Snow Leopard but I cant give any more details on the infected machine at this time as it was discovered just prior to closing time and it is at work and I am not.

I have a capture of the binary and the plist file.

Apple just released Java update

Java for OS X 2012-001 delivers improved compatibility, security, and reliability by updating Java SE 6 to 1.6.0_31.

Run your "Software Update"

Risko wrote:

Apple just released Java update

Java for OS X 2012-001 delivers improved compatibility, security, and reliability by updating Java SE 6 to 1.6.0_31.

Run your "Software Update"

Too bad Apple arrogantly continues to ignore all those users who don't use SL 10.6.8. That updater won't even show up in Software Update on earlier systems (well, 10.6.5 at least). And if you download it it checks there and won't update as well.

Oh well. Not that I didn't expect it. I have Java shut off anyhow.

I am constantly getting this message from Little Snitch: .null wants to connect to vxvhwcixcxqxd.com

I opened my LaunchAgents folder and have a file titled null.plist.

Am I infected and if so what can I do? Also, my kids use this computer and may have allowed a connection...what info could have been compromised?

Twist1 wrote:

I am constantly getting this message from Little Snitch: .null wants to connect to vxvhwcixcxqxd.com

You are definitely infected. Here's what the majority of us recommend...

Courtesy of Linc Davis:

You installed a variant of what’s commonly called the “Flashback” malware, although the name is obsolete.

If you’re absolutely sure you know when that happened, and you back up with Time Machine or something similar, you can save yourself a lot of time by restoring your whole system from the most recent snapshot taken before it was infected. Then take Steps 7, 8, and 10 below.

How can you tell when the infection took place? All you can be sure of is that you were infected some time before the problems started. You may have visited a blog that prompted you to install some kind of software, or a “certificate.” If you remember doing that recently, mention it in a reply, but don’t post a link.

If you don’t know when you were infected, there's no easy, reliable way to remove the malware, because it's constantly changing. I suggest you take the following steps immediately:

1. Back up all data to at least two different devices, if you haven't already done so.

2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup drive. This action will destroy all data on the drive, so you must be sure of your backups.

3. Install the Mac OS.

4. Reboot and go through the initial setup process to create an account with the same name as your old one. Don’t import anything from your backups at this stage.

5. If running Mac OS X 10.6.x or earlier, run Software Update. You may have to run it more than once to fully update your system.

6. Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. It’s best not to restore anything from there. If you must do so, restore only files, not folders, and only if they’re visible in the Finder, and then only if you’re absolutely sure you know what they are and they haven’t been altered. Don’t restore anything in the home subfolder Library/LaunchAgents, if it exists, or any hidden files or folders, no matter where they are.

7. Launch Safari and select Safari ▹ Preferences… ▹ Security from the menu bar. Uncheck the box labeled Enable Java. Because of recurring security issues, the Java web plugin must be considered unsafe to use. (Note: I’m not referring to JavaScript, which is unrelated to Java, despite the similar names.) Very few websites have legitimate Java content nowadays. If you encounter one that does, and you think you can trust it, enable Java temporarily. Do this only if you know how to check for a malware infection immediately afterwards. If you’re not sure whether you know how to check, you don’t know how. Don’t rely on any kind of “anti-virus” software for protection.

8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.

9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated.

10. If you use any third-party web browsers, disable Java in their preferences, as you did with Safari in step 7.

And lastly, if you really need to have Java, run Software Update to obtain today's update that will reduce the chance of this happening again in the future and allow you to use Java again for the time being.

I also got that same message from Little Snitch: ".null wants to connect to vxvhwcixcxqxd.com". Since then I've turned off all Java, did the latest software update, and blocked any communication to that using Little Snitch.

I found a null.plist file in my LaunchAgents folder and a .null file in my home folder, both with the same date and time of March 28.

Can I just delete these files? Will that even do anything? Or should I go throught the full steps of reinstalling everything.

Leezy28 wrote:

I also got that same message from Little Snitch: ".null wants to connect to vxvhwcixcxqxd.com". Since then I've turned off all Java, did the latest software update, and blocked any communication to that using Little Snitch.

Turning off and updating Java is like closing the barn door after the horse has escaped. Whatever damage that the Java vulnerability caused is already done. Little Snitch should prevent any further damage, if we believe what we are being told about the mechanism of installation here.

I found a null.plist file in my LaunchAgents folder and a .null file in my home folder, both with the same date and time of March 28.

Can I just delete these files? Will that even do anything? Or should I go throught the full steps of reinstalling everything.

Only you can decide based on the infomation available.

F-Secure says here that you can remove everything by following their instructions. That assumes they know everything there is to know about it and this is what you have. I'll take that one step further and say that if you are absolutely sure that you stopped it from contacting that server, then you are not yet infected. All you have is the Trojan Downloader running on your Mac, attempting to download and install the actual Trojan in one of two ways. So if you feel confident that F-Secure is right and you are sure you blocked installation, then follow the steps outlined in F-Secure's document to unload the launch agent and delete those two files. It couldn't hurt to check that those other files didn't get installed somehow. Oh, and one more bit of information from Dr. Web is that had it progressed to the installation phase, it would have detected Little Snitch and destroyed itself at tht time without doing the install. The fact that you and many others in this thread caught it early is probably a bug that will be fixed in the next variant.

OTOH, Intego (the competition) cautions here against following such instructions. And clearly the most conservative approach is to restore from a TimeMachine backup to before the time on March 28th that you encountered the downloader and if you can't do that follow Linc's instructions. But if that will cause you to lose data that you can't live without, then you may want to just cross your fingers and do it the easy way.

Hope that helps.

If you had been fully infected by this thing as most have in previous versions, I would be much stronger in recommending reinstallationl and changing passwords.

So, what is the vxvhwcixcxqxd.com?

Every now and then LS pops up an asks me to

Allow or deny access to vxvhwcixcxqxd

What shall I do?

"Forever Deny".

Then follow the advice given in multiple entries above.

paddlesource wrote:

I just got a Little Snitch notice re: .rserv trying to connect to cuojshtbohnt.com.

Probably Little Snitch installed not in root. Do you have directory /Library/Little Snitch ?

And, I do recall getting one the other day with something trying to connect to gangstasparadise.rr.nu. Looking at my firefox history, it appears that I was sent there while visiting the D-Link website at the exact time that .rserv was created (Mar 30 13:01). History shows these 3 entries at that time:

http://www.dlink.com/products/?pid=71

http://www4.firstmn-army.com/?8800f2x=XK2ZlKNnsJicmN%2Fnqptfh%2Bbh5XVoYWiblayZm9 ispJE%3D

http://gangstasparadise.rr.nu/13f/?said=5826&ref=http://www.dlink.com/products/? pid=71

Hopefully this is helpful in troubleshooting.

Definitely firstmn-army.com redirects to gangstasparadise.rr.nu, but can't understand how it relates to dlink.com.

lytic wrote: Probably Little Snitch installed not in root. Do you have directory /Library/Little Snitch ?

I don't think LS gets installed other than in root, i.e. system wide.

After a little search I found that .flserv was trying to connect to vXvhWcIxCxqXd.com

I blocked it with little snitch and did a little search using your tips:

Doing a : ls -lA ~/Library/LaunchAgents/

The process at cause here is com.adobe.flp.plist

Doing a : defaults read ~/Library/LaunchAgents/com.adobe.flp.plist

It gives :
{

Label = "com.adobe.flp";

ProgramArguments = (

"/Users/my_name/.flserv"

);

RunAtLoad = 1;

StandardErrorPath = "/dev/null";

StandardOutPath = "/dev/null";

StartInterval = 4212;

}

The process is located at "Users/you_user_name/.flserv"
You should be able to see it using : ls -lisa in the console

Mine got created on the 29th of March.
looking at my web history this seems to have been the result of visiting torrent search-engines (sumotorrent & scrapetorrent)

From the code available on the com.adobe.flp.plist I seem to understand that the code is trying to launch on startup (i.e. RunAtLoad=1);

I therefore assume that if you do not reboot your computer there should be no reson for the process to be launched.

I've tried to open the .flserv file in vim but it doesnt give us much info on what it is doing or trying to do.

so was this just a loader to download a trojan (not infected -- yet) or ".flserv" is the trojan and it was trying to send off some data to a server ?

tadanm256 wrote:

I therefore assume that if you do not reboot your computer there should be no reson for the process to be launched.

Incorrect. The process is launched every 4212 seconds by launchd. Peruse the thread, I explained it in an earlier post.