Avast and jumpingcrab.com

Avast Free Antivirus / Premium Security
1

Hi. Please has anyone any answers to the following

Netstat run from command prompt tells me Avast is connecting to Jumpingcrab.com. I have this domain blocked by redirecting the request to my local host. What is jumpingcrab.com and why would Avast want to communicate with it?
Thanks.

TCP 127.0.0.1:12080 sendmsg.jumpingcrab.com:50474 ESTABLISHED
[AvastSvc.exe]

2
Welcome!

jumpingcrab.com is being shared via Free DNS, a dynamic DNS domain sharing project where members can setup, and administrate their dns entries on their own remote internet connected systems in real time.

To create a free subdomain from any shared domain, you can visit the shared domain list.
For any dns related inquiries, questions, support, comments, or misuse contact dnsadmin@afraid.org for a quick response.
Free DNS is serving 90,000+ domains, 3.7 million subdomains, and processing 2,000+ dns queries per second.

3

Pondus

Thanks for the welcome and the reply.

Is Avast legitimately using this web address? If so for what purpose. Do I need to be concerned and keep directing it back to my localhost?
thanks.

4

No it is not Avast going there it is something on your system trying to reach that address

Remember all internet requests are routed through Avast

5

Thank you very much for the reply ’ essexboy ’

I hadn’t thought of it like that.

I also get the following message from Netstat

TCP 127.0.0.1:49738 sendmsg.jumpingcrab.com:12080 ESTABLISHED
[firefox.exe]
Must be something to do with that

6

You may well have a bad firefox extension

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

https://dl.dropbox.com/u/73555776/AdwCleaner.GIF

Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that

7

Oh, oh, oh. What a mess! I’ve never seen such a bad example of an analysis. You guys need to read what’s been written by the OP and not make assumptions about what it might be.

The domain in the message is sendmsg.jumpingcrab.com which is located in China with IP 60.10.1.118. Nothing to do with jumpingcrab.com which has IP 70.39.97.226 Even a cursory Google search would have revealed that. But nobody appears to have bothered doing that.

The OP didn’t have a ‘bad firefox extension’ (shame on you for suggesting such a thing Essexboy), but a very sophisticated trojan installed which AVAST hasn’t yet been able to detect. It’s called Trojan.Upclicker and it hides its routines by linking them to a left mouse click. Since AV in general doesn’t monitor the mouse, its activities are likely to remain undetected.

I suggest everyone who contributed to this thread read this FireEye article which I hope will serve to open your eyes a bit and not apply your “one-size-fits-all” attempt to try and solve every problem which appears on the horizon. http://blog.fireeye.com/research/2012/12/dont-click-the-left-mouse-button-trojan-upclicker.html

Bye-bye again for another year. :wink:

8

Ah…thanks, we would be completely lost without you :stuck_out_tongue:

9

TCP 127.0.0.1:49738

Note the proxy set in Firefox

sendmsg.jumpingcrab.com is a subdomain of jumpingcrab.com

10

Here is the definite write-ip about this malware: http://blog.fireeye.com/research/2012/12/dont-click-the-left-mouse-button-trojan-upclicker.html
(blog article post authors are FireEye researchers Abhishek Singh and Yasir Khalid)
Network activity: UDP communications…<MACHINE_DNS_SERVER>:53 with a malevolent interaction route via destination ports 443 and 80.
TDS alert: Detected a Dynamic DNS URL
See: http://host.robtex.com/sendmsg.jumpingcrab.com.html
See: https://www.virustotal.com/en/file/65fdb5d460b079279a4afcb45671b4ec4d7a2d734dcf5f45232dcbdb6d08275b/analysis/
More info from here: http://www.threatexpert.com/report.aspx?md5=a1942d1cc7552387393b91a14c9a3d7
First going to request for an IP from f.root-servers dot net - Redwood City Ca
see: http://volatility-labs.blogspot.nl/2012/12/what-do-upclicker-poison-ivy-cuckoo-and.html

polonus

11

Even in the highly unlikely event that this was the case, you don’t need a third party tool to remove a Firefox extension. It has it’s own tools for doing that.

You guys are supposed to be the experts and users rely on you to get it right.

I tell you, if you came to my company looking for a job, I wouldn’t even let you loose in the kitchen with a mop!

12

Nope. Here’s the Whois for jumpingcrab.com: http://whois.net/whois/jumpingcrab.com

And here’s the one for sendmsg.jumpingcrab.com


http://img46.imageshack.us/img46/6815/sendmsgjumpingcrab.png

Yes, of course it’s disguised. but malware writers aren’t going to make it easy for you and the “sendmsg” aspect makes it look like it’s jumpingcrab sending a message using a Firefox. That’s why I said that you can’t apply the one-size-fits-all solution and have to treat every incident as a unique case.

13

Trust me I know there is not a universal panacea for this, the malware if it is not an extension will then be hiding in the system either under a BHO or run key
And how does the OP uninstall a hidden firefox extension ?

14
I tell you, if you came to my company looking for a job, I wouldn't even let you loose in the kitchen with a mop
Not a problem as I was always rubbish with a mop