Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malicious file that I cannot find anything about online


  • Please log in to reply
No replies to this topic

#1 Masejoer

Masejoer

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 25 February 2013 - 06:16 PM

Last night at exactly 11PM PST two servers started writing out a large number of IIS logs to HTTPERR. Logging in to the server, a hidden iexplorer.exe would run and consume one CPU core, generating the following errors:

 

2013-02-25 07:23:31 127.0.0.1 1907 127.0.0.1 80 HTTP/1.0 GET /MicrosoftUpdate/ShellEX/KB48342708/default.aspx?tmp=YWZmaW5pdHllbWFpbA== 400 - BadRequest –

 

This ONLY brings up three google results ("MicrosoftUpdate/ShellEX") from sophos.com.

 

This would create multiple 1MB log files per minute. Killing the hidden IE session, nothing additional would come back on its own. I found in the Run registry key there was a string value named "mcupdate" that called c:\windows\system32\update.exe, a 40960 byte file. Running this file would make iexporer.exe open back up hidden and begin throwing errors once more. The date modified and create dates on both servers are from November 2011. Since nothing we have could detect update.exe as milcious, I submitted it to multiple online sites and none come back saying that the file is milciious. I can see in Process Monitor that it appears to be as the program then run tries to

 

With sophos installed (since they appeared to know something about the malware) and the file run in a virtual environment (it doesn't actually launch IE and generate errors here), process monitor shows update.exe writing to C:\Program Files\Sophos\Sophos Anti-Virus\SOPHOS_DETOURED.DLL. It did not do anything like this before sophos was installed. It also ONCE tried to use permissions of ""antimalwareenvi\user"" but I have not seen those messages in subsequent logging in the VM. The Sophos virus removal tool cannot find anything running on one of the servers that the problem originated from. AVG, Comodo, Sophos, Malware Bytes. TDSSKiller, and Hijackthis show no issues or files out of the ordinary. I cannot run rootkitrevealer since I cannot gain local console access. All the files being called by update.exe I have run through online scanners without any hits.

 

I CANNOT see any additional problems in any environment other than the IIS logs filling up the hard drive then IE runs due to this file. I'd like to find out what it is I'm dealing with but I do not know how to proceed from here. Which security company is the best/easiest to submit the file though? Any help would be greatly appreciated!



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users