Possible Infection on Work Network

Hello Bleeping Computer.

 

 

I come to you today for assistance with something I have been learning about for the past week. This malware/attack has been very exhausting, and hard to explain to coworkers. I really just want to get this fixed so I can protect my company's data, and get back to work on the things expected of me.

 

On January 27, I noticed the "Modified Date" change on some files I see regularly, and are related to my personal settings and files on my work computer. I looked a little deeper, to see what could have happened. Somehow file history was turned off.

 

The first thing I did then was to take a look at the running tasks, and services, as well as scheduled tasks. I saw a Svchosts.exe process taking up 400mb of ram, and I am one of those who tries to be aware of the status of his computer's daily operations. This one Svchosts.exe service was tied into about 12 different services, all on a "NetSvcs" user group. Services such as LanmanServer, Remote Access Manager, IPSec Policy Manager, etc. These were all part of the same service which didn't seem right to me. I feel like remote desktop runs independent of the services that active directory runs on?

 

Anyways immediately weird things started happening when I disabled remote desktop connection, and closed/disabled all of the services that I felt were out of the ordinary. This triggered the virus to completely hijack my computer, and events started happening before my eyes:

 

-Mouse input going in and out

-Screen going black for 10-15 seconds

-Windows Defender disabled, and then re-enabled itself.

-Remote desktop was turned back on

-There was a VHD made using something called "Shadow Copy", and since then am now unable to make my own virtual disks

-My entire drive was encrypted with BitDefender, and then replaced with what seems like a highly modified system.

-Office 365 uninstalled, and Office 2015 was installed - This caused me to not be able to use my email

 

Amid the tensions of coworkers needing me to be able to use my computer to get work done, I attempted to refresh my system by booting up a  windows XP PE boot disk, and used a tool to wipe and reformat my drive. I then used same session to burn a fresh windows 10 1709 install disk directly from my.visualstudio.com

 

Attempting to install this disk resulted in a crash, and when my machine rebooted, there was  BIOS password set. Luckily my Lenovo H50-50 has CMOS clear jumpers, and I removed the CMOS battery and moved the jumpers to let the memory die out. I let the cmos sit for about 3 hours to discharge, and came back to no BIOS pass, and the ability to boot my install disk.

 

The install disk did not work, however I was able to run the setup from my Windows Xp PE disk as a mounted drive. Install success!

 

I was virus-free (i thought) for about 30 minutes. Then all of a sudden the same processes and services, and strange behaviour started again. This lead me to go into a research frenzy and ultimately here where I will lay my burden out to you guys, and hope someone smarter than me knows what to do.

 

 

I have used every anti-malware, anti-virus, anti-ransomware and utility I can find on the internet and have not detected a single thing. However I can look in the Windows Event Center, and see multiple things that should have tipped off Malwarebytes, or our managed VIPRE antivirus. I am assuming this virus/kit is bundled with a crap ton of anti-anti-virus. I mean some of my files were saying they were created in 1969, or 2099...

 

To make matters worse, the third day (Jan31), I noticed the same tasks and processes appearing on my home personal laptop. This one is an HP ENVY (will retrieve model later) that I purchased in December 2016. After wiping the partition, I attempted to use HP Recovery, but was sadly mistaken in that prospect... HP Recovery started popping up some extra CMD windows, as well as the standard FBI Audit tool. It is now stuck in a boot loop, no longer loading the FBI tool (file based installer) but there is a CMD window that keeps popping up saying "System cannot find the drive specified", and prints this log about 10-15 times then prints "Access Denied" before restarting. There is also a new BIOS password on this machine as well, which HP is going to be helping me get reset.

 

The only thing that could have caused this, is plugging my android device into both my work PC and home PC to charge. I have noticed strange files in my Android device, which immediately caused me to go purchase a new one that does not get plugged into any type of computer.

 

Upon deeply inspecting my file system to attempt to trace down where I am connecting to, I searched a string in one of the virus-created files, which led me to this IP: 196.0.4.20

 

This also resulted in me finding a bunch of files I been seeing on my computers: ftp://196.0.4.20/

Location: Uganda
(Backing this FTP site up as we speak)

 

I know that most of the versions on my computers are encrypted, but this FTP address may be able to explain to us more about this virus. From what I am looking at, this is something that took a LOT of time to prepare. It is smart - it adapts to new environments and laterally migrates.

 

Not only that - I believe the virus knows what I am doing. I believe there may be a person actively monitoring me, but I have been non-stop trying to figure this out and doubt someone spent as much time watching me as I been going through these files. Things like Start menu no longer opening - when I would use this to easily launch CMD or powershell to disable parts of the virus as needed to research.

 

Payload has been coming from here:  URL:

 

Payload is masking as a onedrive installer.

 

I found this analysis of the file (found on both my PCs at 2 different locations): https://www.hybrid-analysis.com/sample/77853169f32426f38bd74a7cd82aef1dc165779898160af9c8d6a7c4b39450a3?environmentId=100

 

See my attached FRST data as well.

 

I've also attached Inbound Rules.txt to show a log of the rules that were set in my firewall as soon as I disabled port 443 (was the only rule when I made it 5 seconds before what is in the log showed up).

 

Another to note is that here: C:\ProgramData\Malwarebytes\MB3Service\lkg_db  there is an exceptions.txt file for MalwareBytes. In the GUI, no exceptions are shown, but this file contains some kind of BASE64 encoded text that fills up the file. I know this directory isnt where MBAM installed its appdata. I believe everything in my C/ProgramData  folder to be impersonations.

 

My theory of how I am being infected:

-We are running small business server 2008 as our domain controller. Our IT management guy has been slacking in updates, and updates have been failing for a year now.

-We recently opened up the RDP port so a user could work from home last week due to medical issues.

-Our password is the same to all our computers, and is not very secure. (changed now)

-We are using a very old firebox

-I am an construction estimator and hobbyist .NET coder, not an IT professional

 

 

What do I do? How do you get rid of a virus that is not yet known?

Edited by warebehr, 08 February 2018 - 02:46 PM.

Day 2 since the report:

 

-Start menu works sometimes but not every logged-in session

-Found always-open Teamviewer running on domain controller server with unattended access set up. This is a custom client with a "Take Control" rebranding

 

 

 

-Found newly added "Malwarebytes Anti Malware (portable)" folder with a data.conf file.  I believe this to be downloaded from the IP mentioned in the OP. It is showing as modified about 30 minutes before the time of this report. I have never downloaded a portable version of MBAM.

 

VT: https://www.virustotal.com/#/file/382d38728748ac3fcb534dda9f1c14eb46d0b50520e02742bf065ffd3cb52747/detection

 

 

-While attempting to troubleshoot Updates, I keep getting stuck on this screen (2 hours so far):

 

Edited by warebehr, 08 February 2018 - 05:13 PM.

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/670215 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

• If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  
• A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
  
  • Please do this even if you have previously posted logs for us.
  • If you were unable to produce the logs originally please try once more.
  • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
• Please tell us if you have your original Windows CD/DVD available.
  
• Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

• Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.
  
  FRST Download Link
  
  
• When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
• Double click on the FRST icon and allow it to run.
• Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
• Notepad will open with the results.
• Post the new logs as explained in the prep guide.
• Close the program window, and delete the program from your desktop.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

Greetings warebehr and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:

• First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
• Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
• Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
• Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
• If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
• When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
• I would like to remind you to make no further changes to your computer unless I direct you to do so.

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Please run a FRST scan and copy/paste both reports in your reply.

Greetings,

===================================================

Do You Still Need Help?

It has been 3 days since my last post.

• Do you still need help with this?
• If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed.

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.