Virus Dexon Agent.exe no detectado por el antivirus ESET Endpoint (Dexon Agent.exe virus not detected by ESET)

[CSA cucuta 0]

Buenas tardes.

He detectado un virus que se propago por toda mi red LAN este virus se llama Agent.exe y esta en todos lo computadores de la empresa,

he tratado de eliminarlo manualmente eliminando la carpeta raiz de este pero vuelve y aparece la única solución que encontré fue instalar el Malwarebytes y colocarlo a escanear este si lo detecta y lo acaba pero al quitar o parar el malwarebytes este virus vuelve.

quisiera saber como se puede reportar estos a los señores de ESET para que me ayudes a eliminar este virus.

 

Machine translation:
I have detected a virus that spread throughout my LAN network this virus is called Agent.exe and is on all computers of the company,

I tried to delete it manually by removing the root folder from this but it comes back and the only solution I found was to install the Malwarebytes and place it to scan if it detects and it finishes but when removing or stopping the malwarebytes this virus comes back.

I would like to know how you can report these to the gentlemen of ESET so that you can help me eliminate this virus.

Edited November 8, 2018 by Marcos
Machine translation added

[Peter Randziak 928]

Hello @CSA cucuta,

can you please check if the sample is detected with fully updated ESET product?

If not please send me the sample of it via a private message to check.

Also as this is a global forum, can you please write in English so everyone can understand?

Thank you, P.R.

[Marcos 4,609]

Also please post logs gathered by ESET Log Collector on such machine.

[Marcos 4,609]

According to the info I've found, it's supposedly a potentially unwanted application from 2016. It's described as: The application is a communications application that allows users to have remote access to or direct contact with an IT consultant over the internet. When installed, it creates a service and runs in the background. It automatically sets up a bind connection and listens to the local port 5001 for incoming connections in order to provide remote access. When the user attempts to uninstall, the application is reinstalled and maintains its persistence even when the user tries to end the application.

[Leonardo 10]

2 hours ago, Marcos said:

According to the info I've found, it's supposedly a potentially unwanted application from 2016. It's described as: The application is a communications application that allows users to have remote access to or direct contact with an IT consultant over the internet. When installed, it creates a service and runs in the background. It automatically sets up a bind connection and listens to the local port 5001 for incoming connections in order to provide remote access. When the user attempts to uninstall, the application is reinstalled and maintains its persistence even when the user tries to end the application.

Hi @Marcos 

That's very interesting. 

Is there a way to get rid of this virus/PUA ?

What is the level of dangerousness of this virus/PUA ?

[itman 1,510]

A bit more detail on this.

Per Trend Micro, Eset did detect an earilier version as Win32/Dexon.A; as a PUA: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/pua_dexon .

So a couple of possibilities as to this infection:

1. This is a new undetected variant.

2. Eset PUA protection was not enabled on the endpoint devices.

3. The delivery payload was a worm. It infected the server and spread Dexon via SMB. Likewise, it could have been PUA software installed on an endpoint and spread via SMB.

My money is on number 3).

Based on the modifications this malware makes to Win system directories and registry, extensive cleaning will be required to remove it. 

[itman 1,510]

Assuming this malware was a result of an endpoint user download and installation, I will state this.

Regardless of how the user responded to the Eset PUA alert in corporate environments, users need to be prevented from installing software directly or indirectly via appropriate Windows software restriction polices to prevent this activity.

[alexander14 2]

Please send virustotal.com   - result analysis. 

[itman 1,510]

On ‎11‎/‎6‎/‎2018 at 5:06 PM, CSA cucuta said:

I tried to delete it manually by removing the root folder from this but it comes back and the only solution I found was to install the Malwarebytes and place it to scan if it detects and it finishes but when removing or stopping the malwarebytes this virus comes back.

Hopefully you still have your MBAM logs? If so, check if MBAM recorded the hash value for agent.exe in the log file. If this hash exists, please post it in a forum reply. We can then check out actually what MBAM is detecting.

[itman 1,510]

Researching this a bit further confirmed my suspicion that there is a worm version of Dexon. When it surfaced in 2016, Microsoft was the only major AV vendor that detected it: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Spraxeth.A

This lead me to the OPSWAT site that yielded the following file hash:

Quote

DCAB729A04D58C0B1D4971A75F9A2410BCBEE117F8346DB25AEE0794BEBC1611

https://metadefender.opswat.com/results#!/file/e34f6c0712ca497582bd47adb92b9639/regular/overview

Submitting that file hash to VirusTotal yields that Eset does not detect it there: https://www.virustotal.com/#/file/dcab729a04d58c0b1d4971a75f9a2410bcbee117f8346db25aee0794bebc1611/detection

Something for Eset to check out if the OP can submit a sample of it.

[Marcos 4,609]

Quote

DCAB729A04D58C0B1D4971A75F9A2410BCBEE117F8346DB25AEE0794BEBC1611

This one is unfortunately corrupted.

[itman 1,510]

52 minutes ago, Marcos said:

This one is unfortunately corrupted.

Hybrid-Analysis has sample of it: https://www.hybrid-analysis.com/sample/dcab729a04d58c0b1d4971a75f9a2410bcbee117f8346db25aee0794bebc1611?environmentId=100

[itman 1,510]

Here are what appear to be recent variants of the worm:

https://totalhash.cymru.com/analysis/?1fa45104b40630d08b83513cd2424ab72d79b0e1

https://totalhash.cymru.com/analysis/?c14be28193a1e2abc6069a2bc057c41b5e38f855

-EDIT- Eset detects both these as PUA's. Don't know if that is appropriate or not for anything with worm capability.

Also the worm aspect is secondary in concern. The primary concern is this bugger installs a backdoor on every device it infects. In my book, anything that can install a backdoor is definitely not a PUA.

Edited November 10, 2018 by itman

[Veremo 6]

VT says 1fa45104b40630d08b83513cd2424ab72d79b0e1 was signed by Dexon Software.
Additionally this file contains timestamp countersignature which proofs it is not "recent"

 

Date signed
11:53 PM 11/30/2005

 

[itman 1,510]

I will say it appears Dexon has a way of "worming", pun intended, its way onto networks.

Here's an interesting Sophos posting from an endpoint installation wondering how it could be infected a second time with "not a beep" from Sophos when it had detected it in the first infection episode: https://community.sophos.com/products/endpoint-security-control/f/sophos-enterprise-console/88576/sophos-doesnt-detect-a-virus-that-was-previusly-detected.

My take on this is some backdoor remained in place on some device. The old rule of complete OS drive wiping, reformatting, and OS reinstallation comes to mind in the case of a backdoor infection. Or for corps., might just be cheaper to replace the drives.

-EDIT- Forgot to mention Sophos also initially detected the bugger as a PUA. I am starting to see a pattern forming ………………..

Edited November 10, 2018 by itman

[itman 1,510]

10 hours ago, Veremo said:

VT says 1fa45104b40630d08b83513cd2424ab72d79b0e1 was signed by Dexon Software.
Additionally this file contains timestamp countersignature which proofs it is not "recent"

 

Date signed
11:53 PM 11/30/2005

 

I figured we would get around to this.

Here is an AV vendor that found it to be "clean": https://www.reasoncoresecurity.com/agent.exe-0eced01089ae9cba59f2e6b94173cd7dd495b9c8.aspx . Well, sort of. It did find two variants that it classified as PUAs. For the heck of it, I submitted the following "clean" variant to VT:

Agent.exe  5,1,3,648  06db69c21a367a7df46f24d70a8cf7734306b904

Interestingly, Microsoft indicated this one was clean although many other vendors did not including Eset. Do note that VT does indicate that its code signing cert. has expired.

Which gets us to just what the hell is this bugger? Well, it turns out it is part of a legit trusted installer software. You can read about it here: https://www.neuber.com/taskmanager/process/agent.exe.html . This makes its use an ideal target for malware, adware, you name it to abuse.

The bottom line is that this bugger does not "mysteriously" appear on your PC. It relies on some user unwittingly installing it via what appears to be a legit software installation.

So for those Eset users that insist on overriding Eset's PUA alert and installing some software that they "know" to be safe, you have been warned.

Edited November 10, 2018 by itman

[itman 1,510]

According to Comodo, there are almost as many malicious versions of Dexon Agent as there are legit versions. And the malware versions are nasty indeed:

https://file-intelligence.comodo.com/windows-process-virus-malware/exe/Agent

Edited November 10, 2018 by itman

[axlgabo10 0]

In short, with ESET can not block or eliminate this service?

I have the same problem of infection in a client

[itman 1,510]

12 hours ago, axlgabo10 said:

In short, with ESET can not block or eliminate this service?

I have the same problem of infection in a client

Yes it can detect it if PUA protection is enabled.

PUA protection is most effective at software installation time. Possibly the concern overrode the PUA alert?

In any case, have the concern run a full system scan with Admin privileges.