Hello Bleeping Computer.
I come to you today for assistance with something I have been learning about for the past week. This malware/attack has been very exhausting, and hard to explain to coworkers. I really just want to get this fixed so I can protect my company's data, and get back to work on the things expected of me.
On January 27, I noticed the "Modified Date" change on some files I see regularly, and are related to my personal settings and files on my work computer. I looked a little deeper, to see what could have happened. Somehow file history was turned off.
The first thing I did then was to take a look at the running tasks, and services, as well as scheduled tasks. I saw a Svchosts.exe process taking up 400mb of ram, and I am one of those who tries to be aware of the status of his computer's daily operations. This one Svchosts.exe service was tied into about 12 different services, all on a "NetSvcs" user group. Services such as LanmanServer, Remote Access Manager, IPSec Policy Manager, etc. These were all part of the same service which didn't seem right to me. I feel like remote desktop runs independent of the services that active directory runs on?
Anyways immediately weird things started happening when I disabled remote desktop connection, and closed/disabled all of the services that I felt were out of the ordinary. This triggered the virus to completely hijack my computer, and events started happening before my eyes:
-Mouse input going in and out
-Screen going black for 10-15 seconds
-Windows Defender disabled, and then re-enabled itself.
-Remote desktop was turned back on
-There was a VHD made using something called "Shadow Copy", and since then am now unable to make my own virtual disks
-My entire drive was encrypted with BitDefender, and then replaced with what seems like a highly modified system.
-Office 365 uninstalled, and Office 2015 was installed - This caused me to not be able to use my email
Amid the tensions of coworkers needing me to be able to use my computer to get work done, I attempted to refresh my system by booting up a windows XP PE boot disk, and used a tool to wipe and reformat my drive. I then used same session to burn a fresh windows 10 1709 install disk directly from my.visualstudio.com
Attempting to install this disk resulted in a crash, and when my machine rebooted, there was BIOS password set. Luckily my Lenovo H50-50 has CMOS clear jumpers, and I removed the CMOS battery and moved the jumpers to let the memory die out. I let the cmos sit for about 3 hours to discharge, and came back to no BIOS pass, and the ability to boot my install disk.
The install disk did not work, however I was able to run the setup from my Windows Xp PE disk as a mounted drive. Install success!
I was virus-free (i thought) for about 30 minutes. Then all of a sudden the same processes and services, and strange behaviour started again. This lead me to go into a research frenzy and ultimately here where I will lay my burden out to you guys, and hope someone smarter than me knows what to do.
I have used every anti-malware, anti-virus, anti-ransomware and utility I can find on the internet and have not detected a single thing. However I can look in the Windows Event Center, and see multiple things that should have tipped off Malwarebytes, or our managed VIPRE antivirus. I am assuming this virus/kit is bundled with a crap ton of anti-anti-virus. I mean some of my files were saying they were created in 1969, or 2099...
To make matters worse, the third day (Jan31), I noticed the same tasks and processes appearing on my home personal laptop. This one is an HP ENVY (will retrieve model later) that I purchased in December 2016. After wiping the partition, I attempted to use HP Recovery, but was sadly mistaken in that prospect... HP Recovery started popping up some extra CMD windows, as well as the standard FBI Audit tool. It is now stuck in a boot loop, no longer loading the FBI tool (file based installer) but there is a CMD window that keeps popping up saying "System cannot find the drive specified", and prints this log about 10-15 times then prints "Access Denied" before restarting. There is also a new BIOS password on this machine as well, which HP is going to be helping me get reset.
The only thing that could have caused this, is plugging my android device into both my work PC and home PC to charge. I have noticed strange files in my Android device, which immediately caused me to go purchase a new one that does not get plugged into any type of computer.
Upon deeply inspecting my file system to attempt to trace down where I am connecting to, I searched a string in one of the virus-created files, which led me to this IP: 196.0.4.20
This also resulted in me finding a bunch of files I been seeing on my computers: ftp://196.0.4.20/
Location: Uganda
(Backing this FTP site up as we speak)
I know that most of the versions on my computers are encrypted, but this FTP address may be able to explain to us more about this virus. From what I am looking at, this is something that took a LOT of time to prepare. It is smart - it adapts to new environments and laterally migrates.
Not only that - I believe the virus knows what I am doing. I believe there may be a person actively monitoring me, but I have been non-stop trying to figure this out and doubt someone spent as much time watching me as I been going through these files. Things like Start menu no longer opening - when I would use this to easily launch CMD or powershell to disable parts of the virus as needed to research.
Payload has been coming from here: URL:
Payload is masking as a onedrive installer.
I found this analysis of the file (found on both my PCs at 2 different locations): https://www.hybrid-analysis.com/sample/77853169f32426f38bd74a7cd82aef1dc165779898160af9c8d6a7c4b39450a3?environmentId=100
See my attached FRST data as well.
I've also attached Inbound Rules.txt to show a log of the rules that were set in my firewall as soon as I disabled port 443 (was the only rule when I made it 5 seconds before what is in the log showed up).
Another to note is that here: C:\ProgramData\Malwarebytes\MB3Service\lkg_db there is an exceptions.txt file for MalwareBytes. In the GUI, no exceptions are shown, but this file contains some kind of BASE64 encoded text that fills up the file. I know this directory isnt where MBAM installed its appdata. I believe everything in my C/ProgramData folder to be impersonations.
My theory of how I am being infected:
-We are running small business server 2008 as our domain controller. Our IT management guy has been slacking in updates, and updates have been failing for a year now.
-We recently opened up the RDP port so a user could work from home last week due to medical issues.
-Our password is the same to all our computers, and is not very secure. (changed now)
-We are using a very old firebox
-I am an construction estimator and hobbyist .NET coder, not an IT professional
What do I do? How do you get rid of a virus that is not yet known?
Attached Files
Edited by warebehr, 08 February 2018 - 02:46 PM.