Ali Akbar 0 Posted January 23, 2018 Share Posted January 23, 2018 Hi, One of our client’s server endpoint has detected Win32/Filecoder.BTCWare but unable to delete/clean it. Their server currently running two endpoint protection,ESET File Security and Malwarebytes.ESET has detected the file but unable to clean it.In other side,Malwarebyte has detected a malware name RiskWare.BitCoinMiner. Isn’t Win32/Filecoder.BTCWare (detected by ESET) and RiskWare.BitCoinMiner (detected by Malwarebytes) are same malware ? <RECORD> <COLUMN NAME="Time">23/01/2018 8:32:57 AM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\DOCUMENTS AND SETTINGS\PUBLIC\LIBRARIES\!#_RESTORE_FILES_#!.INF</COLUMN> <COLUMN NAME="Threat">Win32/Filecoder.BTCWare trojan</COLUMN> <COLUMN NAME="Action">unable to clean</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (F03B45E99A692E9492FDBBA0CF2D0C8440B26E79).</COLUMN> <COLUMN NAME="Hash">85B3E115935D14074AD9792E9C15CBD06C0351C5</COLUMN> <COLUMN NAME="First seen here">10/06/2017 4:56:51 AM</COLUMN> </RECORD> <RECORD> <COLUMN NAME="Time">23/01/2018 8:32:57 AM</COLUMN> <COLUMN NAME="Scanner">Real-time file system protection</COLUMN> <COLUMN NAME="Object type">file</COLUMN> <COLUMN NAME="Object">C:\DOCUMENTS AND SETTINGS\PUBLIC\DOWNLOADS\!#_RESTORE_FILES_#!.INF</COLUMN> <COLUMN NAME="Threat">Win32/Filecoder.BTCWare trojan</COLUMN> <COLUMN NAME="Action">unable to clean</COLUMN> <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN> <COLUMN NAME="Information">Event occurred during an attempt to access the file by the application: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (F03B45E99A692E9492FDBBA0CF2D0C8440B26E79).</COLUMN> <COLUMN NAME="Hash">85B3E115935D14074AD9792E9C15CBD06C0351C5</COLUMN> <COLUMN NAME="First seen here">10/06/2017 4:56:51 AM</COLUMN> </RECORD> logs.txt Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted January 23, 2018 Administrators Share Posted January 23, 2018 Unfortunately, files encrypted by Filecoder.BTCWare cannot be decoded. Most likely attackers carried out a bruteforce RDP attack, disabled ESET and ran the ransomware. I'd strongly recommend hardening RDP, e.g. by limiting RDP connections to specific users, IP addresses or ranges, using strong passwords and installing all Windows updates that address vulnerabilities especially in RDP. Link to comment Share on other sites More sharing options...
Ali Akbar 0 Posted January 23, 2018 Author Share Posted January 23, 2018 Hi Marcos, Thanks for the reply.The server has not infected by the Filecoder.BTCware,but ESET has detected it but unable to clean .... ESET has detected the file but unable to clean it.In other side,Malwarebyte has detected a malware name RiskWare.BitCoinMiner.Isn’t Win32/Filecoder.BTCWare (detected by ESET) and RiskWare.BitCoinMiner (detected by Malwarebytes) are same malware ? Link to comment Share on other sites More sharing options...
safety 8 Posted January 23, 2018 Share Posted January 23, 2018 3 hours ago, Ali Akbar said: One of our client’s server endpoint has detected Win32/Filecoder.BTCWare but unable to delete/clean it 3 hours ago, Ali Akbar said: !#_RESTORE_FILES_#!.INF 3 hours ago, Ali Akbar said: C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (F03B45E99A692E9492FDBBA0CF2D0C8440B26E79 @ Ali Akbar In your case, ESET discovered a note about the redemption, which apparently remained in the system for some reason. (As they say, there were only horns, but the legs of the encoder). The main body of the encoder in the system is not, at least, you would see its result in the form of encrypted files. This file (!#_RESTORE_FILES_#!.INF) can not be deleted by the ESET antivirus, because it was detected at the time of scanning the system in malwarebytes, so mbam blocked it. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted January 23, 2018 Administrators Share Posted January 23, 2018 3 hours ago, Ali Akbar said: Thanks for the reply.The server has not infected by the Filecoder.BTCware,but ESET has detected it but unable to clean .... The payment instructions are dropped by ransomware usually after encrypting files in a particular folder, therefore it's likely you also had encrypted files with the wallet, btcware or another unusual extension in these folders. Running a disk scan should detect all files with instructions and offer you an option to delete them at the end of the scan. Link to comment Share on other sites More sharing options...
Ali Akbar 0 Posted January 24, 2018 Author Share Posted January 24, 2018 16 hours ago, safety said: This file (!#_RESTORE_FILES_#!.INF) can not be deleted by the ESET antivirus, because it was detected at the time of scanning the system in malwarebytes, so mbam blocked it. Hi @safety Thanks for the reply.Does it mean if we disable the Malwarebyte Protection and run ESET scan again will able to delete the !#_RESTORE_FILES_#!.INF ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,274 Posted January 24, 2018 Administrators Share Posted January 24, 2018 4 hours ago, Ali Akbar said: Hi @safety Thanks for the reply.Does it mean if we disable the Malwarebyte Protection and run ESET scan again will able to delete the !#_RESTORE_FILES_#!.INF ? After running a full disk scan you should be prompted for an action. Selecting Delete or Clean should remove the detected text files. Also we don't recommend using MBAM together with ESET. With versions 1-2 there were no issues as long as its real-time protection was kept disabled but allegedly v3 clashes with ESET. Link to comment Share on other sites More sharing options...
Recommended Posts