TROJAN WARNING CONSTANTLY

[HienKieu 2]

Hello everyone,

My customers are using File Security version 6.5.12013 on Windows Server 2012 R2 Standard. Last week, they detected a malware warning constantly on this. When i was logon and checked, log file details as below:

<RECORD>

<COLUMN NAME="Time">28/12/2017 3:45:38 PM</COLUMN>

<COLUMN NAME="Scanner">Real-time file system protection</COLUMN>

<COLUMN NAME="Object type">file</COLUMN>

<COLUMN NAME="Object">

C:\Program Files (x86)\Common Files\sys\SystemRunDll3.exe

</COLUMN>

<COLUMN NAME="Threat">Win64/CoinMiner.J trojan</COLUMN>

<COLUMN NAME="Action">cleaned by deleting</COLUMN>

<COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>

<COLUMN NAME="Information">

Event occurred on a new file created by the application: C:\Program Files (x86)\Common Files\sys\Service4.exe (1C5778306AA81EEB2E2B1DA57DD1E6FEAEEBD757).

</COLUMN>

<COLUMN NAME="Hash">A645B3F5956ABA168437ED7368C6584DB130B6BB</COLUMN>

<COLUMN NAME="First seen here">28/12/2017 3:45:36 PM</COLUMN>

 

I know, the malware was detected on Jun 23, 2014 hxxp://www.virusradar.com/en/Win64_CoinMiner.J/description. Maybe pop-up warning created by the application above "Service4.exe". I have directed to the path, stop services and delete related it... but I'm not sure that it will spawn an application with a different name (example: sa.exe, service2.exe,...).. I have seen this!

So, i don't know How can I solve this situation completely? Please give me some advice if you have any ideas?
Thanks in advance!

More detail you can see..

[Marcos 5,074]

A detection for "service4.exe" will be added in update 16647. I'd also recommend enabling detection of potentially unsafe applications if you haven't already since they cover also coin miners.

[itman 1,659]

I will also add that this directory, C:\Program Files (x86)\Common Files\sys, requires full admin privileges to modify; at least in Win 10 ver. 1709. As such, a UAC prompt would be generated if one was running on any account with privileges below full admin level. 

[GCG 5]

A) I would recommend restarting the server into safe mode so that you can be sure that the application is not running. 

B) I would then use the "SC delete" command to delete the actual service. 

I would then take the directory and create a password protected (make sure it is password protected) archive  using WinRAR  of the entire directory at the folder level of "C:\program files (x86)\common files\sys"

Please note: I am recommended this for the following reasons:

1) so that you can ensure even hidden folders or files are captured in the archive and

2) so you can restore, recover, or submit files to support for additional analysis.

C) I would then delete the "C:\program files (x86)\common files\sys" folder and repair or reinstall any applications that utilize the library or files in that directory.

Please note: if the files return after you have delete them it is likely due to a secondary application or service is restoring them

D) I would recommend you run DISM and then SFC commands in safe mode to check the seals on other system files and services. (can be done while operating in safe or normal boot modes)

E) reboot back into normal mode and scan the server again (anti-virus scan will not be able to scan password protected archives)

F) If you are booting using MBR instead of UEFI I would also recommend scanning the boot sector

it is possible that restricting system privileges as previously suggested will not be effective, as the directory likely has already provided system or service(s) with full permission to this directory and even if you enable UAC it may not impact or impair the infection from executing, operating, or spreading.

This advise is offered as is with no guarantees.

If you need further assistance I would recommend that you either contact support or a company like our for assistance

 

Robert

Grant Consulting Group LLC