Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PowerShell Virus


  • Please log in to reply
2 replies to this topic

#1 looselyrigorous

looselyrigorous

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 11 August 2016 - 04:32 AM

Hello,

 
About 3~ months ago we had an infection in our office. I wasn't there when it happened but from what I can tell someone plugged their usb stick in more than one(!!!) of the computers, and opened a bunch of files maybe. I could take a somewhat educated guess and say it was some MSOffice file with a macro in it but I could be wrong. The machines at that time had Windows 7 installed in them. I used MBAM/RogueKiller/HitmanPro to detect for viruses, came up with a bunch and cleaned them up. I sadly don't have any logs from that point of time since it seemed that everything was clean, after repeated scans with aforementioned utilities. I also did not install any other Antivirus solution, but upgraded to Windows 10 which came bundled with MSE.
 
Now 6 days ago I decided to install Avast on the most severely affected computer and did a scan which checked out clean. After some time generally using the computer (to see how avast impacted perf.) avast pushed a notification window saying it prevented some kind of malicious runtime. It was classified as "BV:AndroDrp [Drp]" or something along those lines. I can't say for certain because avast (in it's infinite wisdom) decided this wasn't worth logging. At all. The referenced executable (as you might imagine) was PowerShell.
 
So I kinda panicked there seeing as I had to look for a ghost. Then today comes and I managed to shed some light in the problem (or so it seems). An initial search didn't yield anything as far as PowerShell logs are concerned but then I came across this, which prompted me to doodle around in the Event Viewer Application Logs. Navigating to "Application and Services Logs > Microsoft > Windows > Powershell", I found a bunch of event's under ID 4104: "Execute a remote command". The events detailed the "ScriptBlocks" that were being ran. I took and reconstructed them. Mostly obfuscated variables and use of addition/concatenation to create another script and run it. Said script is some version of "Invoke-ReflectivePEInjection.ps1" from PowerSploit. It pulled the entire Script and the arguments it passed to it from Registry.
 
So far it doesn't seem like the "Virus" propagates through a local network. One of the Computers where the usb wasn't plugged in hasn't logged any PowerShell activity. Well, I can't rightly say I know what the virus even does so I can't say for sure.
 
And that's the extent of what I've figured out so far. I don't know what it does after that but if someone wants to have a look you can ask. I'm not sure if I should be posting any of this on the thread so I'll refrain from it until I'm told otherwise.
 
Any and all help is greatly appreciated. Thank you!


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,870 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:29 AM

Posted 11 August 2016 - 06:54 AM

Welcome to BC...

 

Suggest you start a new topic in the Malware Removal Forum for cleaning up the one personal computer. It may be a few days before

some replies as that forum is presently very busy.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 looselyrigorous

looselyrigorous
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 12 August 2016 - 06:18 AM

Done






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users