64.exe c64.exe service.exe in C:\Windows

[HexaPro]

These .exe keep showing up in (C:\Windows) on Windows Server 2008 R2 Datacenter even after manual deletion. I think it's a miner, it also create .xml and .exe in (C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5) and also in (C:\Windows\Fonts\Mysql) that I can't access.

[Guest Wookiee]

You can submit the files to us for review on immunet.com. If they are found to be malicious, we will write detection for them

If you can provide the SHA's of the files, I can look at them quicker,- though not necessarily.
 

[ritchie58]

With the directories being affected it's very similar behavior to what a rootkit keylogger might exhibit.

[ritchie58]

The problem with most rootkits is that they generally use some sort of advanced encryption method which usually makes 'em hard to detect let alone access & read.

So it wouldn't surprise me if HexaPro was unable to submit any SHA256 or MD5 checksum(s) hash tag(s).

Besides Immunet it never hurts to have an additional on-demand rootkit scanner at your disposal! Speaking of such...

Malwarebytes has a new beta "CMD based on-demand rootkit scanner" available that looks rather promising.

They're also looking for beta testers with (preferably) virtual test rigs for anyone that's into that sort of thing.

As with any beta software please read the legal Disclaimer documentation carefully before use.

Not 100% sure if it's compatible with Server 2008 R2 however. https://www.malwarebytes.com/antirootkit/

 

[Jon79]

On 3/14/2019 at 8:59 AM, HexaPro said:

These .exe keep showing up in (C:\Windows) on Windows Server 2008 R2 Datacenter even after manual deletion. I think it's a miner, it also create .xml and .exe in (C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5) and also in (C:\Windows\Fonts\Mysql) that I can't access.

You can try to upload the two files on Virustotal and check the results from different AVs

https://www.virustotal.com/#/home/upload

[HexaPro]

On 3/15/2019 at 2:02 AM, Wookiee said:

You can submit the files to us for review on immunet.com. If they are found to be malicious, we will write detection for them

If you can provide the SHA's of the files, I can look at them quicker,- though not necessarily.
 

Can you show me the link? I'll upload it right away.

On 3/18/2019 at 12:11 PM, ritchie58 said:

The problem with most rootkits is that they generally use some sort of advanced encryption method which usually makes 'em hard to detect let alone access & read.

So it wouldn't surprise me if HexaPro was unable to submit any SHA256 or MD5 checksum(s) hash tag(s).

Besides Immunet it never hurts to have an additional on-demand rootkit scanner at your disposal! Speaking of such...

Malwarebytes has a new beta "CMD based on-demand rootkit scanner" available that looks rather promising.

They're also looking for beta testers with (preferably) virtual test rigs for anyone that's into that sort of thing.

As with any beta software please read the legal Disclaimer documentation carefully before use.

Not 100% sure if it's compatible with Server 2008 R2 however. https://www.malwarebytes.com/antirootkit/

 

Thanks, I'll try it and I'll post the result later.

On 3/18/2019 at 5:12 PM, Jon79 said:

You can try to upload the two files on Virustotal and check the results from different AVs

https://www.virustotal.com/#/home/upload

Thanks, I've uploaded it there and here's the result.

AhnLab-V3
Trojan/Win32.CoinMiner.R261580
ALYac
Trojan.GenericKD.41182456
Antiy-AVL
GrayWare/Win32.Generic
Arcabit
Trojan.Generic.D27464F8
Avast
Win32:Miner-AY [Trj]
AVG
Win32:Miner-AY [Trj]
BitDefender
Trojan.GenericKD.41182456
ClamAV
Win.Malware.Shadowbrokers-6958490-0
Comodo
TrojWare.Win32.CoinMiner.BT@82eh14
Cyren
W32/Malware.C.dam!Eldorado
DrWeb
Trojan.PWS.Panda.8062
Emsisoft
Trojan.GenericKD.41182456 (B)
ESET-NOD32
A Variant Of Win32/CoinMiner.BTO
F-Prot
W32/Malware.C.dam!Eldorado
FireEye
Trojan.GenericKD.41182456
Fortinet
W32/UpackDam.G
GData
Win32.Application.CoinMiner.BQ
Ikarus
Trojan.Dropper
Jiangmin
Trojan.Generic.cwgjj
K7AntiVirus
Riskware ( 00543ad11 )
K7GW
Riskware ( 00543ad11 )
Malwarebytes
Trojan.BitCoinMiner
MAX
Malware (ai Score=88)
MaxSecure
Trojan.Malware.0.susgen
McAfee
CoinMiner-FAN!A538EBA45167
McAfee-GW-Edition
CoinMiner-FAN!A538EBA45167
Microsoft
Trojan:Win32/Fuerboos.A!cl
NANO-Antivirus
Trojan.Win32.CoinMiner.fogvwd
Rising
Trojan.CoinMiner!1.B84E (RDM+:cmRtazpksEPKxCx6W8nX7nQ/GCox)
Sophos AV
Mal/EncPk-BW
Sophos ML
Heuristic
VBA32
BScope.Trojan.Miner
VIPRE
LooksLike.Win32.KryptPck!a (v)
Zillya
Trojan.Generic.Win32.704228
Ad-Aware
Undetected
AegisLab
Undetected
Alibaba
Undetected
Avast-Mobile
Undetected
Babable
Undetected
Baidu
Undetected
CAT-QuickHeal
Undetected
CMC
Undetected
Cylance
Undetected
eScan
Undetected
F-Secure
Undetected
Kaspersky
Undetected
Kingsoft
Undetected
Panda
Undetected
Qihoo-360
Undetected
SUPERAntiSpyware
Undetected
TACHYON
Undetected
Tencent
Undetected
Trustlook
Undetected
ViRobot
Undetected
Yandex
Undetected
ZoneAlarm by Check Point
Undetected
Zoner
Undetected
Bkav
Timeout
Endgame
Timeout
Acronis
Unable to process file type
SecureAge APEX
Unable to process file type
CrowdStrike Falcon
Unable to process file type
Cybereason
Unable to process file type
eGambit
Unable to process file type
Palo Alto Networks
Unable to process file type
SentinelOne (Static ML)
Unable to process file type
Symantec Mobile Insight
Unable to process file type
Trapmine
Unable to process file type
Webroot
Unable to process file type

Thank you all, sorry for the late response, I thought I have successfully get rid of the virus, but apparently not. It's coming back again.

[ritchie58]

Sorry to hear you still think you may be infected. The new site at immunet.com has no malware submission page, just one for False Positives. There is a email address that users could submit malware samples to, but to be honest I'm not sure if this address is still being routinely monitored anymore. 

With that said, you could use this email address if you'd like to still give it a shot: submit@samples.immunet.com

Before sending the samples put them all in a folder, compress the folder using a program like 7zip and use a password to encrypt it, add that as an attachment to the email.

As the email header type: Virus Samples, so the tech immediately knows what it is. Include a description of the type of malware you think it is & the problems the malware is causing and any other pertinent data you can think of with the email,  just don't forget to include the password so the folder can be unpacked.

[HexaPro]

3 hours ago, ritchie58 said:

Sorry to hear you still think you may be infected. The new site at immunet.com has no malware submission page, just one for False Positives. There is a email address that users could submit malware samples to, but to be honest I'm not sure if this address is still being routinely monitored anymore. 

With that said, you could use this email address if you'd like to still give it a shot: submit@samples.immunet.com

Before sending the samples put them all in a folder, compress the folder using a program like 7zip and use a password to encrypt it, add that as an attachment to the email.

As the email header type: Virus Samples, so the tech immediately knows what it is. Include a description of the type of malware you think it is & the problems the malware is causing and any other pertinent data you can think of with the email,  just don't forget to include the password so the folder can be unpacked.

Thanks, for the email. I'll give it a shot. And about the Malwarebyte Rootkit, it seem to work for several hours yesterday, but now it's coming back again. The Rootkit was able to sweep clean the C:\Windows\Fonts\MySQL tho. That's why it's been fine for several hours yesterday.

[ritchie58]

Have you tried to use Malwarebytes Anti-rootkit scanner while in Safe Mode (without Networking)? If not, I think that might be worth the effort.

[HexaPro]

O I'll try it later when nobody is using it. This one seem pretty persistent. 

[ritchie58]

I hear ya! Some rootkits can be "extremely excellent at hiding" from conventional security products being even able to detect them, let alone quarantining the malware.

Some of them use quite complex encryption algorithms and/or masquerade themselves as a child process to a legit Windows process.

This is one reason why I suggested Immunet offer a VPN service. Even if a user was unfortunate enough to be infected with a (as yet undetectable) keylogger or rootkit the bad guys still would not be able to monitor any browser activity when connected to the VPN.

[HexaPro]

This server were never used on it's own, it's only turned on and left on logon screen every day and no user logged in since it's just a data center server, yet the virus still able to get in. Virus usually only able to enter a computer by user own mistake, at least there's a human factor there to assist the virus entrance, this one seem to enter by it's own. I will try tonight if no one in the office is accessing it anymore.

Edited July 1, 2019 by HexaPro

[ritchie58]

In a networking environment it is certainly not unheard of for malware to propagate from one connected computer to another on the same network regardless of how the initial compromise took place. 

I would still definitely recommend you run that MB Root-kit scan in Safe Mode (without Networking) as soon as you can.

Perhaps not a bad idea to also check any other computers connected to the server using a full scan with Immunet & the same Safe Mode scan with MB Root-kit scanner just to be sure.

Did you know that Immunet does have an "enterprise version" that's specifically designed to work in a networked server environment? It's called AMP for Endpoints and will protect your server environment so much better than Immunet. AMP stands for Advanced Malware Protection. AMP for Endpoints can detect root-kits including other usually hard to detect forms of malware (such as ransomware) before it can spread to other endpoints!

In fact, AMP can be configured for individual/home use too! I was given a free one year license a while back just to check it out myself and have to admit it is some awesome software for tweeking! Some "advanced computer knowledge" goes a long way to get the best out of the product but you don't have to have a collage degree in computer science to configure the software to meet your needs either.

It does use an on-line interface, where you must log into your account to effect & synchronize any configuration changes as compared to a traditional User Interface where you just click on the icon in your Taskbar to access the UI. That takes a little bit of getting use to (it did for me) but this is actually a great security feature since no changes can be made by unauthorized personal that don't know the proper log in credentials.

It's not free like Immunet but the price is reasonable & actually negotiable depending on the number of connected endpoints to be protected & the length of your license. https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html

Best wishes, Ritchie...

[HexaPro]

I have done the safe mode rootkit scan, found nothing. Tried to clean with rootkit last night when no other computers were on, the result are good, caught lots of malwares and the server is fine for several hours. This morning I open the server again and the malware are already fill in their old spots, got like 200+ .exe malwares hiding in IE5 folder again, c64.exe and services.exe in "C:\Windows" again and many .bat .dll and .exe in "C:\Windows\Fonts\Mysql" I need a free active malware protection that can block those malwares from getting in.

[HexaPro]

Ok, I think I have found a solution by creating an inbound rule in the firewall for all protocols, ports, IPs and programs, accept from computer of authenticated user. And also use KNOPPIX to remove the "C:\Windows\Fonts\Mysql" folder and it's content. Uploaded virus sample from that folder too to Microsoft Security Essentials and since yesterday the "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5" folder has no virus in it yet. Hopefully this one is for real.

[ritchie58]

Congratulations HexaPro! I hope I didn't just jinx you by my accolade though, lol!

That's what it takes sometimes, never give up & just keep digging at it until a proper solution is accomplished!

Since you are using a server environment I would still recommend you consider deploying AMP for Endpoints for your security needs instead of Immunet.

 

[HexaPro]

Ok, it's back again, but this time instead of using KNOPPIX I can directly access and erase the "C:\Windows\Fonts\Mysql" folder with custom shortcut. You can't directly open it from  explorer but I can trick it with a shortcut, first I create a shortcut to "C:\Windows" then open it's properties and change the target to "C:\Windows\Fonts\Mysql" so I only need to click the shortcut to enter the folder and then erase the entire files within the folder. But it's really annoying to have to check the folders every several hours or minutes just to delete all the viruses. No permanent solution yet. I'll try that AMP later man, thanks.

Edited July 4, 2019 by HexaPro

[ritchie58]

Oh no! Is it possible that you could submit any new samples regarding that Mysql folder?

[HexaPro]

4 minutes ago, ritchie58 said:

Oh no! Is it possible that you could submit any new samples regarding that Mysql folder?

Where to? It has .exe, .bat, .txt and .dll in it.

Edited July 4, 2019 by HexaPro

[ritchie58]

The same email address in the older thread I posted to this topic.   submit@samples.immunet.com

Use the same compression/encryption method I previously mentioned in the other thread.

[HexaPro]

4 minutes ago, ritchie58 said:

The same email address in the older thread I posted to this topic.   submit@samples.immunet.com

Use the same compression/encryption method I previously mentioned in the other thread.

Done.

[ritchie58]

If you can send copy's of any executable files in that folder especially.

P.S. - Since you have 10 posts, and no longer considered a newbee, you're now our newest official member to the Immunet forum community. Congrats on that!

[HexaPro]

5 minutes ago, ritchie58 said:

If you can send copy's of any executable files in that folder especially.

That's all I can catch for now, I'll have to wait for them to re-appear for more files. There was doublepulsar.exe also.

Edited July 4, 2019 by HexaPro

[ritchie58]

Persistence pays off more often that not! Great idea!

[HexaPro]

Yeah LOL, the one in that "C:\Windows\Fonts\Mysql" is the hardest one to delete. But once you managed to delete the whole folder, the virus would gone for several hours. If it isn't, it will keep laying it's eggs every seconds in "C:\Windows" and "C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5"