Jump to content


Photo

Kb3072633 - Detected As Clam.trojan.ransom-516


  • Please log in to reply
10 replies to this topic

#1 jeremyl

jeremyl

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 20 August 2015 - 04:45 AM

Hi Immunet

 

I have Windows 2008 R2 installed & every time I try to run windows updates from my WSUS it gives this message attached message.

 

I have now found out it is caused by "KB3072633" even downloading via my WSUS Server or downloading the update from the official website.

 

Is this normal & should I disable Immunet 3.0 to install "KB3072633" ?

 

(It is very weird as have all the other non-exchange Windows 2008 R2 servers have installed it successfully & all have Immunet installed)

Attached Files


Edited by jeremyl, 20 August 2015 - 05:10 AM.

  • Mashabeet likes this

#2 daphneg

daphneg

    Administrator

  • Administrators
  • 13 posts

Posted 20 August 2015 - 05:39 PM

Hi there,

 

Was looking into this site: https://support.micr...okmark-fileinfo

 

Can you confirm if this is the file that's being downloaded? 

 

Security update file name For all supported x64-based editions of Windows Server 2008 R2:
Windows6.1-KB3072633-x64.msu

 

 

File name SHA1 hash SHA256 hash

 

Windows6.1-KB3072633-x64.msu 1BBEC5F5DC46C284E56A761279CA42E6F0D47B6D 81DDD6679208F4B1DBDFBAAD745010E22BB91F3CD4A6DE2AB1991691A75AC644

 

Thanks,

Daphne



#3 jeremyl

jeremyl

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 21 August 2015 - 01:46 AM

Hi Daphne
 

Yes that is correct I am using "Windows6.1-KB3072633-x64.msu" & checking both the SHA1 & SHA256 hashes they both match the file I downloaded.

 

There are currently two possibles:-

 

1. When I run "Windows6.1-KB3072633-x64.msu" it uses the cache instead from "C:\Windows\SoftwareDistribution" (Collected from my WSUS Server)

 

2. "Windows6.1-KB3072633-x64.msu" is getting detected as a false positive

 

I did run a scan with "KB890830", "Stinger" & "Immunet" on both our WSUS Server + the server with the warning message without any viruses found.

 

(I managed to install the other 12 updates by excluding "KB3072633" on that server)

 

I am going to setup a virtual machine shortly to test both situations & will update this post :-)

 

 

==========Update 1=======================

 

1. Install Windows 2008 R2 Enterprise + SP1

2. Saved Snapshot

3. Downloaded/Installed "Windows6.1-KB3072633-x64.msu" from Microsoft Website

 

Everything Worked Fine (No Virus warning message)

 

This leads me to believe that our WSUS Server is infected or some sort of bad caching is occurring on our server :-(

I will now attempt to install the updates via our WSUS Server which could take a while as there are lots of updates


Edited by jeremyl, 21 August 2015 - 06:55 AM.


#4 daphneg

daphneg

    Administrator

  • Administrators
  • 13 posts

Posted 21 August 2015 - 07:26 PM

Thanks Jeremyl!

 

Checking on the backend, found 2 SHA256 detected for Clam.Trojan.Ransom-516:

 
 
Filename: <random>.amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.18915_none_0a449de508f01259_ole32.dll_e9dcc2e3
 
SHA256: 9a510f1e71ec3e73e1a6e04e92279b03f0208f6449953a10f6afc590313f7ff1
SHA-1: 74c169fe1ed643968e484524364edea63dcb68dc
MD5 e3eb94b45a2735d4559558b5899732e8
 
 
Filename: <random>.amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.23118_none_0ad113b0220b316a_ole32.dll_e9dcc2e3
 
SHA256: 38d86c64dd4d5c37efef7b6926ce77489b44afd344c90a7ee0e516d5770d52c4
SHA-1: 1850fea2210ead6d4821e6fef077f961cee9a8a9
MD5: c0eacfb89f9f32705f5576d49cc32e9b
 
 
These SHA256 were not available in VirusTotal however if you search for SHA1/MD5, VT will give you a Clean file result but with different SHA256. 
 
I’m gonna try to setup a 2008R2 as well to do further testing.


#5 daphneg

daphneg

    Administrator

  • Administrators
  • 13 posts

Posted 21 August 2015 - 10:13 PM

Testing:
1. Setup 2008R2 + SP1

2. Installed Immunet
3. Downloaded and installed "Windows6.1-KB3072633-x64.msu"

 

No detections. 

 

Also, I searched for any files ending with:
.amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.23118_none_0ad113b0220b316a_ole32.dll_e9dcc2e3

 

(which is the file that's getting detected based on the backend database), I found 2 on the same file path (C:\Windows\winsxs\Temp\PendingRenames). They have the same SHA1 and MD5 as the infected one but with different SHA256.

 

Filename:    87f1376059dcd00135000000d0067009.amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.18915_none_0a449de508f01259_ole32.dll_e9dcc2e3 (n/a) - 2087424 bytes

MD5    e3eb94b45a2735d4559558b5899732e8
SHA-1    74c169fe1ed643968e484524364edea63dcb68dc
SHA-256    115e580ae948fb0394ce4af90f3bc6380fb347d405d900453a82bdf007991fc1
 
 
Filename:   6ae3566059dcd0013e000000d0067009.amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.18915_none_0a449de508f01259_ole32.dll_e9dcc2e3 (n/a) - 2087424 bytes
MD5    e3eb94b45a2735d4559558b5899732e8
SHA-1    74c169fe1ed643968e484524364edea63dcb68dc
SHA-256    115e580ae948fb0394ce4af90f3bc6380fb347d405d900453a82bdf007991fc1
 
This SHA256 is clean in VT.
 
So I'd go with something's going on in WSUS.


#6 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,794 posts
  • LocationOil City, Pa. U.S.A.

Posted 22 August 2015 - 03:40 AM

Hi guys, been following this topic with some interest. I just wanted to say that speaking from years of experience of using Immunet Protect it is "exceedingly rare" when a "legitimate" Microsoft Windows Update file gets quarantined thankfully.
 

Cheers, Ritchie...


* Immunet Global Forum Moderator *


#7 jeremyl

jeremyl

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 24 August 2015 - 12:29 AM

Thanks for testing it daphneg :-)

 

I will try to decline/purge "Windows 2008 R2 x64" update & re-import it into my WSUS.

 

I do find it weird how none of our other 20 servers did not have an issue installing it so guessing it either became corrupted or it's windows updates order which is screwy.

 

Leave it will me :-)

(Will attempt this & let you know :-) )


Edited by jeremyl, 24 August 2015 - 12:39 AM.


#8 jeremyl

jeremyl

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 28 August 2015 - 03:22 AM

Hi Daphneg 

 

No luck I declined/removed the update from WSUS & re-imported it into WSUS.

 

On the server:-

 

1. Ran all other windows updates

2. Rebooted

(Only listed update is KB3072633)

3. Stopped WSUS service

4. Deleted "Software Distribution" folder

5. Started WSUS Service

6. Ran "Windows6.1-KB3072633-x64.msu" (hash was previously checked & correct)

During the end of the installation Immunet detected the same virus & on reboot it reverts the windows updates.

 

Is there anything I can send you to help me debug this issue?

 

Thanks
Jeremy



#9 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,794 posts
  • LocationOil City, Pa. U.S.A.

Posted 30 August 2015 - 02:44 AM

Hello Jeremy, you do have the option to directly send Support a Diagnostic Tool Report. Info on how to do that can be found at the included link to this FAQ topic. Also, since daphneg is involved add ATTENTION: daphneg to the email header along with all pertinent data & the support dump zip file. Best wishes, Ritchie... http://forum.immunet...tic-tool-report
 


* Immunet Global Forum Moderator *


#10 jeremyl

jeremyl

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 31 August 2015 - 04:32 AM

Thanks Rithie58 & daphneg fixed now  :D  :lol:

 

I have worked it out that the issue was actually caused by having Immunet 3.0 (v3.0.13.9411) which is out of date (August 2013) as my other servers had no issue installing the update but they were running a later version of immunet 3.0 (v3.1.13.9666).

 

The solution was to download/upgrade Immunet from your website + reboot then attempt to install KB3072633.

 

Normally I am use to seeing a notification in the system tray about a new Immunet version update possibly this version did not have that feature/notification in it.

 

My plan is to either using spiceworks to check all my servers for out-dated Immunet 3.0.

 

 

Just another question any idea how to auto-update the client rather than manually telling it to upgrade (Talking about the Scanner not the definitions)?


Edited by jeremyl, 31 August 2015 - 06:43 AM.


#11 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,794 posts
  • LocationOil City, Pa. U.S.A.

Posted 01 September 2015 - 03:00 AM

Hello again Jeremy, I know at times a person will sometimes not get a build update if the current public released build does not have some major overhall to the detection engines or some other important changes. If it's just a minor debugging release, for instance, then you may not get that update automatically pushed to you.

 

Cheers, Ritchie...


* Immunet Global Forum Moderator *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users