Strange Items in Hosts File and Netstat
I ran a netstat -a on a computer and there were a number of strange items:
Proto Local Address Foreign Address State
TCP netgym:epmap virusin:0 LISTENING
TCP netgym:microsoft-ds virusin:0 LISTENING
TCP netgym:netbios-ssn virusin:0 LISTENING
So I checked the hosts file and it's all mangled with weird stuff. Below is an exact copy of the hosts file minus about 100 more similar entries. Each address is truncated after 7 characters.
0.0.0.0 virusin
0.0.0.0 www.vir
0.0.0.0 project
0.0.0.0 www.pro
0.0.0.0 novirus
0.0.0.0 www.nov
0.0.0.0 www.ant
0.0.0.0 zeustra
0.0.0.0 www.zeu
0.0.0.0 www.mal
I didn't add any of these entries in hosts.
Anybody seen something like this before? Is this dangerous? Is there a way something redirecting to 0.0.0.0 could cause issues?
Edit: Additional INFO
I commented out the first line of the hosts file and now the foreign address my machine tries to go to is the third one down in the list: "project". Shouldn't all my services just go to localhost?
One of the possible things malware might do is modify your hosts file, just as you are witnessing.
0.0.0.0 isn't a valid IP address (it's used in most TCP/IP APIs to mean any address). However, setting an entry in the hosts file to 0.0.0.0 is a way to make that website unreachable.
It looks like what you've pasted is cut off at the edge, so I can't tell for sure, but I suspect malware. If you try to go to the above addresses, your browser will timeout. This could be an attempt to prevent you from going to websites to download malware removal tools, or find out more information about it.
A legitimate program that modifies the hosts file is going to leave comments in the file and identify itself, which honestly is extremely rare. So, I'd assume this is some type of malware causing this.