Kb3072633 - Detected As Clam.trojan.ransom-516

[jeremyl]

Hi Immunet

 

I have Windows 2008 R2 installed & every time I try to run windows updates from my WSUS it gives this message attached message.

 

I have now found out it is caused by "KB3072633" even downloading via my WSUS Server or downloading the update from the official website.

 

Is this normal & should I disable Immunet 3.0 to install "KB3072633" ?

 

(It is very weird as have all the other non-exchange Windows 2008 R2 servers have installed it successfully & all have Immunet installed)

[daphneg]

Hi there,

 

Was looking into this site: https://support.microsoft.com/en-us/kb/3072633#bookmark-fileinfo

 

Can you confirm if this is the file that's being downloaded? 

 

Security update file name For all supported x64-based editions of Windows Server 2008 R2:
Windows6.1-KB3072633-x64.msu

 

 

File name SHA1 hash SHA256 hash

 

Windows6.1-KB3072633-x64.msu 1BBEC5F5DC46C284E56A761279CA42E6F0D47B6D 81DDD6679208F4B1DBDFBAAD745010E22BB91F3CD4A6DE2AB1991691A75AC644

 

Thanks,

Daphne

[jeremyl]

Hi Daphne
 

Yes that is correct I am using "Windows6.1-KB3072633-x64.msu" & checking both the SHA1 & SHA256 hashes they both match the file I downloaded.

 

There are currently two possibles:-

 

1. When I run "Windows6.1-KB3072633-x64.msu" it uses the cache instead from "C:\Windows\SoftwareDistribution" (Collected from my WSUS Server)

 

2. "Windows6.1-KB3072633-x64.msu" is getting detected as a false positive

 

I did run a scan with "KB890830", "Stinger" & "Immunet" on both our WSUS Server + the server with the warning message without any viruses found.

 

(I managed to install the other 12 updates by excluding "KB3072633" on that server)

 

I am going to setup a virtual machine shortly to test both situations & will update this post :-)

 

 

==========Update 1=======================

 

1. Install Windows 2008 R2 Enterprise + SP1

2. Saved Snapshot

3. Downloaded/Installed "Windows6.1-KB3072633-x64.msu" from Microsoft Website

 

Everything Worked Fine (No Virus warning message)

 

This leads me to believe that our WSUS Server is infected or some sort of bad caching is occurring on our server :-(

I will now attempt to install the updates via our WSUS Server which could take a while as there are lots of updates

[daphneg]

Thanks Jeremyl!

 

Checking on the backend, found 2 SHA256 detected for Clam.Trojan.Ransom-516:

 

 

Filename: .amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.18915_none_0a449de508f01259_ole32.dll_e9dcc2e3

 

SHA256: 9a510f1e71ec3e73e1a6e04e92279b03f0208f6449953a10f6afc590313f7ff1

SHA-1: 74c169fe1ed643968e484524364edea63dcb68dc

MD5 e3eb94b45a2735d4559558b5899732e8

 

 

Filename: .amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.23118_none_0ad113b0220b316a_ole32.dll_e9dcc2e3

 

SHA256: 38d86c64dd4d5c37efef7b6926ce77489b44afd344c90a7ee0e516d5770d52c4

SHA-1: 1850fea2210ead6d4821e6fef077f961cee9a8a9

MD5: c0eacfb89f9f32705f5576d49cc32e9b

 

 

These SHA256 were not available in VirusTotal however if you search for SHA1/MD5, VT will give you a Clean file result but with different SHA256. 

 

I’m gonna try to setup a 2008R2 as well to do further testing.

[daphneg]

Testing:
1. Setup 2008R2 + SP1

2. Installed Immunet
3. Downloaded and installed "Windows6.1-KB3072633-x64.msu"

 

No detections. 

 

Also, I searched for any files ending with:
.amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.23118_none_0ad113b0220b316a_ole32.dll_e9dcc2e3

 

(which is the file that's getting detected based on the backend database), I found 2 on the same file path (C:\Windows\winsxs\Temp\PendingRenames). They have the same SHA1 and MD5 as the infected one but with different SHA256.

 

Filename:    87f1376059dcd00135000000d0067009.amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.18915_none_0a449de508f01259_ole32.dll_e9dcc2e3 (n/a) - 2087424 bytes

MD5    e3eb94b45a2735d4559558b5899732e8

SHA-1    74c169fe1ed643968e484524364edea63dcb68dc

SHA-256    115e580ae948fb0394ce4af90f3bc6380fb347d405d900453a82bdf007991fc1

 

 

Filename:   6ae3566059dcd0013e000000d0067009.amd64_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.18915_none_0a449de508f01259_ole32.dll_e9dcc2e3 (n/a) - 2087424 bytes

MD5    e3eb94b45a2735d4559558b5899732e8

SHA-1    74c169fe1ed643968e484524364edea63dcb68dc

SHA-256    115e580ae948fb0394ce4af90f3bc6380fb347d405d900453a82bdf007991fc1

 

This SHA256 is clean in VT.

 

So I'd go with something's going on in WSUS.

[ritchie58]

Hi guys, been following this topic with some interest. I just wanted to say that speaking from years of experience of using Immunet Protect it is "exceedingly rare" when a "legitimate" Microsoft Windows Update file gets quarantined thankfully.
 

Cheers, Ritchie...

[jeremyl]

Thanks for testing it daphneg :-)

 

I will try to decline/purge "Windows 2008 R2 x64" update & re-import it into my WSUS.

 

I do find it weird how none of our other 20 servers did not have an issue installing it so guessing it either became corrupted or it's windows updates order which is screwy.

 

Leave it will me :-)

(Will attempt this & let you know :-) )

[jeremyl]

Hi Daphneg 

 

No luck I declined/removed the update from WSUS & re-imported it into WSUS.

 

On the server:-

 

1. Ran all other windows updates

2. Rebooted

(Only listed update is KB3072633)

3. Stopped WSUS service

4. Deleted "Software Distribution" folder

5. Started WSUS Service

6. Ran "Windows6.1-KB3072633-x64.msu" (hash was previously checked & correct)

During the end of the installation Immunet detected the same virus & on reboot it reverts the windows updates.

 

Is there anything I can send you to help me debug this issue?

 

Thanks
Jeremy

[ritchie58]

Hello Jeremy, you do have the option to directly send Support a Diagnostic Tool Report. Info on how to do that can be found at the included link to this FAQ topic. Also, since daphneg is involved add ATTENTION: daphneg to the email header along with all pertinent data & the support dump zip file. Best wishes, Ritchie... http://forum.immunet.com/index.php?/topic/1672-how-do-i-submit-a-support-diagnostic-tool-report
 

[jeremyl]

Thanks Rithie58 & daphneg fixed now   

 

I have worked it out that the issue was actually caused by having Immunet 3.0 (v3.0.13.9411) which is out of date (August 2013) as my other servers had no issue installing the update but they were running a later version of immunet 3.0 (v3.1.13.9666).

 

The solution was to download/upgrade Immunet from your website + reboot then attempt to install KB3072633.

 

Normally I am use to seeing a notification in the system tray about a new Immunet version update possibly this version did not have that feature/notification in it.

 

My plan is to either using spiceworks to check all my servers for out-dated Immunet 3.0.

 

 

Just another question any idea how to auto-update the client rather than manually telling it to upgrade (Talking about the Scanner not the definitions)?

[ritchie58]

Hello again Jeremy, I know at times a person will sometimes not get a build update if the current public released build does not have some major overhall to the detection engines or some other important changes. If it's just a minor debugging release, for instance, then you may not get that update automatically pushed to you.

 

Cheers, Ritchie...