CSA cucuta 0 Posted November 6, 2018 Share Posted November 6, 2018 (edited) Buenas tardes. He detectado un virus que se propago por toda mi red LAN este virus se llama Agent.exe y esta en todos lo computadores de la empresa, he tratado de eliminarlo manualmente eliminando la carpeta raiz de este pero vuelve y aparece la única solución que encontré fue instalar el Malwarebytes y colocarlo a escanear este si lo detecta y lo acaba pero al quitar o parar el malwarebytes este virus vuelve. quisiera saber como se puede reportar estos a los señores de ESET para que me ayudes a eliminar este virus. Machine translation:I have detected a virus that spread throughout my LAN network this virus is called Agent.exe and is on all computers of the company,I tried to delete it manually by removing the root folder from this but it comes back and the only solution I found was to install the Malwarebytes and place it to scan if it detects and it finishes but when removing or stopping the malwarebytes this virus comes back.I would like to know how you can report these to the gentlemen of ESET so that you can help me eliminate this virus. Edited November 8, 2018 by Marcos Machine translation added Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,084 Posted November 8, 2018 ESET Moderators Share Posted November 8, 2018 Hello @CSA cucuta, can you please check if the sample is detected with fully updated ESET product? If not please send me the sample of it via a private message to check. Also as this is a global forum, can you please write in English so everyone can understand? Thank you, P.R. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted November 8, 2018 Administrators Share Posted November 8, 2018 Also please post logs gathered by ESET Log Collector on such machine. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted November 8, 2018 Administrators Share Posted November 8, 2018 According to the info I've found, it's supposedly a potentially unwanted application from 2016. It's described as: The application is a communications application that allows users to have remote access to or direct contact with an IT consultant over the internet. When installed, it creates a service and runs in the background. It automatically sets up a bind connection and listens to the local port 5001 for incoming connections in order to provide remote access. When the user attempts to uninstall, the application is reinstalled and maintains its persistence even when the user tries to end the application. Link to comment Share on other sites More sharing options...
Leonardo 11 Posted November 8, 2018 Share Posted November 8, 2018 2 hours ago, Marcos said: According to the info I've found, it's supposedly a potentially unwanted application from 2016. It's described as: The application is a communications application that allows users to have remote access to or direct contact with an IT consultant over the internet. When installed, it creates a service and runs in the background. It automatically sets up a bind connection and listens to the local port 5001 for incoming connections in order to provide remote access. When the user attempts to uninstall, the application is reinstalled and maintains its persistence even when the user tries to end the application. Hi @Marcos That's very interesting. Is there a way to get rid of this virus/PUA ? What is the level of dangerousness of this virus/PUA ? Link to comment Share on other sites More sharing options...
itman 1,630 Posted November 8, 2018 Share Posted November 8, 2018 A bit more detail on this. Per Trend Micro, Eset did detect an earilier version as Win32/Dexon.A; as a PUA: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/pua_dexon . So a couple of possibilities as to this infection: 1. This is a new undetected variant. 2. Eset PUA protection was not enabled on the endpoint devices. 3. The delivery payload was a worm. It infected the server and spread Dexon via SMB. Likewise, it could have been PUA software installed on an endpoint and spread via SMB. My money is on number 3). Based on the modifications this malware makes to Win system directories and registry, extensive cleaning will be required to remove it. Link to comment Share on other sites More sharing options...
itman 1,630 Posted November 8, 2018 Share Posted November 8, 2018 Assuming this malware was a result of an endpoint user download and installation, I will state this. Regardless of how the user responded to the Eset PUA alert in corporate environments, users need to be prevented from installing software directly or indirectly via appropriate Windows software restriction polices to prevent this activity. Link to comment Share on other sites More sharing options...
alexander14 2 Posted November 8, 2018 Share Posted November 8, 2018 Please send virustotal.com - result analysis. Link to comment Share on other sites More sharing options...
itman 1,630 Posted November 8, 2018 Share Posted November 8, 2018 On 11/6/2018 at 5:06 PM, CSA cucuta said: I tried to delete it manually by removing the root folder from this but it comes back and the only solution I found was to install the Malwarebytes and place it to scan if it detects and it finishes but when removing or stopping the malwarebytes this virus comes back. Hopefully you still have your MBAM logs? If so, check if MBAM recorded the hash value for agent.exe in the log file. If this hash exists, please post it in a forum reply. We can then check out actually what MBAM is detecting. Link to comment Share on other sites More sharing options...
itman 1,630 Posted November 9, 2018 Share Posted November 9, 2018 Researching this a bit further confirmed my suspicion that there is a worm version of Dexon. When it surfaced in 2016, Microsoft was the only major AV vendor that detected it: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Spraxeth.A This lead me to the OPSWAT site that yielded the following file hash: Quote DCAB729A04D58C0B1D4971A75F9A2410BCBEE117F8346DB25AEE0794BEBC1611 https://metadefender.opswat.com/results#!/file/e34f6c0712ca497582bd47adb92b9639/regular/overview Submitting that file hash to VirusTotal yields that Eset does not detect it there: https://www.virustotal.com/#/file/dcab729a04d58c0b1d4971a75f9a2410bcbee117f8346db25aee0794bebc1611/detection Something for Eset to check out if the OP can submit a sample of it. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted November 9, 2018 Administrators Share Posted November 9, 2018 Quote DCAB729A04D58C0B1D4971A75F9A2410BCBEE117F8346DB25AEE0794BEBC1611 This one is unfortunately corrupted. Link to comment Share on other sites More sharing options...
itman 1,630 Posted November 9, 2018 Share Posted November 9, 2018 52 minutes ago, Marcos said: This one is unfortunately corrupted. Hybrid-Analysis has sample of it: https://www.hybrid-analysis.com/sample/dcab729a04d58c0b1d4971a75f9a2410bcbee117f8346db25aee0794bebc1611?environmentId=100 Link to comment Share on other sites More sharing options...
itman 1,630 Posted November 9, 2018 Share Posted November 9, 2018 (edited) Here are what appear to be recent variants of the worm: https://totalhash.cymru.com/analysis/?1fa45104b40630d08b83513cd2424ab72d79b0e1 https://totalhash.cymru.com/analysis/?c14be28193a1e2abc6069a2bc057c41b5e38f855 -EDIT- Eset detects both these as PUA's. Don't know if that is appropriate or not for anything with worm capability. Also the worm aspect is secondary in concern. The primary concern is this bugger installs a backdoor on every device it infects. In my book, anything that can install a backdoor is definitely not a PUA. Edited November 10, 2018 by itman Link to comment Share on other sites More sharing options...
Veremo 6 Posted November 10, 2018 Share Posted November 10, 2018 VT says 1fa45104b40630d08b83513cd2424ab72d79b0e1 was signed by Dexon Software. Additionally this file contains timestamp countersignature which proofs it is not "recent" Date signed 11:53 PM 11/30/2005 Link to comment Share on other sites More sharing options...
itman 1,630 Posted November 10, 2018 Share Posted November 10, 2018 (edited) I will say it appears Dexon has a way of "worming", pun intended, its way onto networks. Here's an interesting Sophos posting from an endpoint installation wondering how it could be infected a second time with "not a beep" from Sophos when it had detected it in the first infection episode: https://community.sophos.com/products/endpoint-security-control/f/sophos-enterprise-console/88576/sophos-doesnt-detect-a-virus-that-was-previusly-detected. My take on this is some backdoor remained in place on some device. The old rule of complete OS drive wiping, reformatting, and OS reinstallation comes to mind in the case of a backdoor infection. Or for corps., might just be cheaper to replace the drives. -EDIT- Forgot to mention Sophos also initially detected the bugger as a PUA. I am starting to see a pattern forming ……………….. Edited November 10, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,630 Posted November 10, 2018 Share Posted November 10, 2018 (edited) 10 hours ago, Veremo said: VT says 1fa45104b40630d08b83513cd2424ab72d79b0e1 was signed by Dexon Software. Additionally this file contains timestamp countersignature which proofs it is not "recent" Date signed 11:53 PM 11/30/2005 I figured we would get around to this. Here is an AV vendor that found it to be "clean": https://www.reasoncoresecurity.com/agent.exe-0eced01089ae9cba59f2e6b94173cd7dd495b9c8.aspx . Well, sort of. It did find two variants that it classified as PUAs. For the heck of it, I submitted the following "clean" variant to VT: Agent.exe 5,1,3,648 06db69c21a367a7df46f24d70a8cf7734306b904 Interestingly, Microsoft indicated this one was clean although many other vendors did not including Eset. Do note that VT does indicate that its code signing cert. has expired. Which gets us to just what the hell is this bugger? Well, it turns out it is part of a legit trusted installer software. You can read about it here: https://www.neuber.com/taskmanager/process/agent.exe.html . This makes its use an ideal target for malware, adware, you name it to abuse. The bottom line is that this bugger does not "mysteriously" appear on your PC. It relies on some user unwittingly installing it via what appears to be a legit software installation. So for those Eset users that insist on overriding Eset's PUA alert and installing some software that they "know" to be safe, you have been warned. Edited November 10, 2018 by itman Link to comment Share on other sites More sharing options...
itman 1,630 Posted November 10, 2018 Share Posted November 10, 2018 (edited) According to Comodo, there are almost as many malicious versions of Dexon Agent as there are legit versions. And the malware versions are nasty indeed: https://file-intelligence.comodo.com/windows-process-virus-malware/exe/Agent Edited November 10, 2018 by itman Link to comment Share on other sites More sharing options...
axlgabo10 0 Posted December 2, 2018 Share Posted December 2, 2018 In short, with ESET can not block or eliminate this service? I have the same problem of infection in a client Link to comment Share on other sites More sharing options...
itman 1,630 Posted December 2, 2018 Share Posted December 2, 2018 12 hours ago, axlgabo10 said: In short, with ESET can not block or eliminate this service? I have the same problem of infection in a client Yes it can detect it if PUA protection is enabled. PUA protection is most effective at software installation time. Possibly the concern overrode the PUA alert? In any case, have the concern run a full system scan with Admin privileges. Link to comment Share on other sites More sharing options...
Recommended Posts