Last night at exactly 11PM PST two servers started writing out a large number of IIS logs to HTTPERR. Logging in to the server, a hidden iexplorer.exe would run and consume one CPU core, generating the following errors:
2013-02-25 07:23:31 127.0.0.1 1907 127.0.0.1 80 HTTP/1.0 GET /MicrosoftUpdate/ShellEX/KB48342708/default.aspx?tmp=YWZmaW5pdHllbWFpbA== 400 - BadRequest –
This ONLY brings up three google results ("MicrosoftUpdate/ShellEX") from sophos.com.
This would create multiple 1MB log files per minute. Killing the hidden IE session, nothing additional would come back on its own. I found in the Run registry key there was a string value named "mcupdate" that called c:\windows\system32\update.exe, a 40960 byte file. Running this file would make iexporer.exe open back up hidden and begin throwing errors once more. The date modified and create dates on both servers are from November 2011. Since nothing we have could detect update.exe as milcious, I submitted it to multiple online sites and none come back saying that the file is milciious. I can see in Process Monitor that it appears to be as the program then run tries to
With sophos installed (since they appeared to know something about the malware) and the file run in a virtual environment (it doesn't actually launch IE and generate errors here), process monitor shows update.exe writing to C:\Program Files\Sophos\Sophos Anti-Virus\SOPHOS_DETOURED.DLL. It did not do anything like this before sophos was installed. It also ONCE tried to use permissions of ""antimalwareenvi\user"" but I have not seen those messages in subsequent logging in the VM. The Sophos virus removal tool cannot find anything running on one of the servers that the problem originated from. AVG, Comodo, Sophos, Malware Bytes. TDSSKiller, and Hijackthis show no issues or files out of the ordinary. I cannot run rootkitrevealer since I cannot gain local console access. All the files being called by update.exe I have run through online scanners without any hits.
I CANNOT see any additional problems in any environment other than the IIS logs filling up the hard drive then IE runs due to this file. I'd like to find out what it is I'm dealing with but I do not know how to proceed from here. Which security company is the best/easiest to submit the file though? Any help would be greatly appreciated!