Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with a virus I can not identify


  • Please log in to reply
7 replies to this topic

#1 Ian Dubbelboer

Ian Dubbelboer

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 19 July 2015 - 04:59 PM

Last night I had 3 systems (1 Server (server 2008 R2) and 2 workstations (Windows 7)) infected by a virus

 

Some one managed to obtain the Logmein credentials of an employee and connect to these three system and run something though I can not tell what.

 

What ever it was modified every EXE on the 3 systems and various services have been activated and Windows Update has been disabled.  If I manually start Windows Update (after setting it back to Automatic Delayed Start) it is shutdown and disabled once again.  Probably by the code in the exes that have been modified. 

 

Any exe that has been modified that gets loaded into memory takes up 100% of the processor time for its core.  Again probably because it is actively doing something with the modified exe

 

Uploading infected files to VirusTotal never comes up with the same result twice.  I suspect because heuristic scanners are detecting there is something wrong with the file but can not decide what.  (random venders return heuristic results too)

 

Detection results are constantly low with only 3 or 4 results for a particular file scanned.

 

Malwarebytes finds something wrong with systray (32 and 64) but nothing else, TDSSKiller finds lots to object to in the way of files modified that no longer match their signature.  RKill the same.

 

So I think I basically have a poorly designed virus that is good enough to avoid virus detection in most cases, but is dumb enough that a human can spot something wrong instantly. 

 

The server is likely getting a restore from an uninfected backup, but I would still like to take a crack are repairing the other workstations. 


Edited by Chris Cosgrove, 19 July 2015 - 05:20 PM.
Moved from Win 7 to 'Am I infected?'


BC AdBot (Login to Remove)

 


#2 TinoNgombo

TinoNgombo

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Luanda, Angola
  • Local time:02:51 PM

Posted 19 July 2015 - 05:45 PM

Hello Ian :)

 

I suggest still trying other anti-virus softwares, namely avast! or ESET (the latter would be preferable, since it is more efficient and does not strain up the disk usage).

 



#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:51 PM

Posted 19 July 2015 - 05:48 PM

Hello,

Is it possible for you to post the result link from one of the VirusTotal scans here?

#4 Ian Dubbelboer

Ian Dubbelboer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 19 July 2015 - 07:13 PM

Here are a few scans.  One thing I did notice is that all infected files have their Icon changed to have a security lock placed on the file icon.  Just like you would see on a folder your account does not have access to.

 

Scan of iexplorer.exe

https://www.virustotal.com/en/file/e7d487cbd50f7f4b394de2b6a2015175443a3213bf229d3ca9b055b0dc5eda15/analysis/

 

Scan of ITunes.exe

https://www.virustotal.com/en/file/d22b4e9c301535502a5e14210052aeb68ebb696a3d9acfa0f76c1b12c0eae5c7/analysis/

 

Scan of DLLhost.exe

https://www.virustotal.com/en/file/45c93ece1beb5abdd35c65b9121b1f5d018bfb205fe8083f20f13358c37790e1/analysis/1437350819/

 

Scan of Svchost.exe.

https://www.virustotal.com/en/file/e6a7828cd63b93775a77cc23a5db4b89dc6890cc4b577a93196052913b92343d/analysis/1437351019/



#5 Ian Dubbelboer

Ian Dubbelboer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 19 July 2015 - 07:51 PM

Avast is seeing a bunch of MalOB-FE [Cryp] and Evo-gen [Susp] not that is wants to do more than Quarantine them

 

Oddly enough on this system (Windows 7) Explore.exe has been modified and is not working quite correctly anymore.   

 

The date field will show 07/19/2015/yyyy anywhere they should be showing date.



#6 Ian Dubbelboer

Ian Dubbelboer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 19 July 2015 - 09:24 PM

ESET sees it as a variant of Win32/Expiro.CG also no solution on repairing the infected files, just delete and quarantine

 

Tried AVG's remover for Win32/Expiro failed

 

No system restore points available



#7 Ian Dubbelboer

Ian Dubbelboer
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 19 July 2015 - 10:58 PM

Part of the Virus is zinst_.exe.  I finished the Server restore and I compared some file creation dates bases on when they were created.   This file was found in a existing temp folder on C: on one of the Win7 workstations it was found in a different existing temp folder.

 

zinst_.exe was present on the infected system but not the restore.

 

Unfortunately I think this is part of an installer not the actual virus.

 

This is the Virus total scan on it

 

https://www.virustotal.com/en/file/5f54c04a723a87019ae222a9835b58467e8b54873b300309ba8f5c487c45884b/analysis/



#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:02:51 PM

Posted 20 July 2015 - 12:56 AM

I'm afraid I have very bad news.

Your system is infected with a nasty variant of Expiro, a dangerous polymorphic file infector with IRCBot functionality which infects .exe, .scr files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? Expiro can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). It also creates non-functional files that are corrupted beyond repair and can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer Expiro remains on a computer, the more critical system files will become infected and corrupt so the degree of damage can vary.

Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Since Expiro is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files (which could number in the thousands) cannot be deleted and anti-malware scanners cannot disinfect them properly. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
Reimaging the system
Restoring the entire system using a full system backup from before the backdoor infection
Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what security expert miekiemoes has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Expiro (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Since you already mentioned that there are backups available, I recommend that you just restore from it instead of trying to clean the affected machines as it is pointless. And be sure to change all your passwords, both due to the machines being compromised and that you mentioned the breach happened via LogMeIn.

Regards,
Alex

Edited by Alexstrasza, 20 July 2015 - 12:57 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users