Autocopy Virus

[Richard666 0]

Hi I have a problem with a rather annoying virus on my company.Eset nod 32 antivirus does not detect it.The little rascal starts a procces and copies itself to every usb drive you plug in.But everytime it creates folders with random names so it us very difficult to look for it by name on the web.Here are some photos I took, please if you now how to get rid of it or an automatic way to erase al of the files from usb drives let me know Thanks.

[Marcos 5,074]

According to the screen shot, names and especially the program icon, it's an AutoHotkey script malware. Please submit both the exe and txt file (the script itself) along with logs collected by ESET Log Collector to samples[at]eset.com.

[itman 1,659]

If it is AutoHotkey script malware, Trend Micro has a detailed analysis on a variant from last spring here: https://blog.trendmicro.com/trendlabs-security-intelligence/potential-targeted-attack-uses-autohotkey-and-malicious-script-embedded-in-excel-file-to-avoid-detection/ . Obviously whatever this current infection is, it is not this variant since Eset and most AV vendors have a signature for it.

The main points to note:

1. AutoHotKey is a legit executable. It is the script dropped with it that starts the malware download infection process.

2. It appears the attack is predominately done via e-mail attachment.

3. A malicious macro is used to start the infection "ball rolling."

Have you permanently disabled all macro execution in MS Office executable's? Preferably by Group Policy means so individual uses can't re-enable them.  

 

Edited September 27, 2019 by itman

[itman 1,659]

If you are not using the Win Explorer display hidden files option, switch to that. Then check if the .txt file shown in your second screen shot is actual shown as xxxxxxxxxxxxx.txt.ahk.

[itman 1,659]

Given the AutoHotkey icon is not hidden and its infecting USB drives, the sample might be a re-write of the old Fauxpersky malware; dropping the ruse of being Kaspersky security software: https://www.cybereason.com/blog/fauxpersky-credstealer-malware-autohotkey-kaspersky-antivirus

[Richard666 0]

Thanks for your replies but none of the above panned out.How can I submit files for analisis in a secure way??? If I try via email antivirus alert pops up.

[Nightowl 202]

23 minutes ago, Richard666 said:

Thanks for your replies but none of the above panned out.How can I submit files for analisis in a secure way??? If I try via email antivirus alert pops up.

There are two ways to do that :

1)Through the GUI of ESET software you have , you can send a sample for analysis , here is more detailed information about it : https://support.eset.com/kb141/#esetproduct

2)Archive the infected files , encrypt them with a password of infected and hide the names , it should prevent the scanner of your email from identifying the malicious files unless they prevent archives from being sent through email.

Edited October 1, 2019 by Rami

[itman 1,659]

AutoHotkey

4 hours ago, Richard666 said:

Thanks for your replies but none of the above panned out.

Appears you're still infected with this bugger.

Per the Trend Micro article, that variant used a .lnk file in a Win startup directory for persistence. On an infected device, check this directory, C:\Users\xxxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, for any .lnk files present. If they exist, checkout what they are pointing to. It might just be this AutoHotkey malware.

Note that persistence can be achieved by a number of methods other than the above; registry Run keys, scheduled task, creation of a Win service, WMI consumer event, etc..

-EDIT- In the Faux Kaspersky malware instance that more closely exhibits the behavior you are experiencing, persistence was had via:

Quote

If you are infected with the malware, navigate to %appdata%\Roaming\ and remove the Kaspersky Internet Security 2017\ directory, related files should be also removed from the startup directory inside the start menu.

So you want to closely examine any sub-directories in C:\Users\xxxxxxx\AppData\Roaming\ for a directory created by the malware. And again, look in this directory, C:\Users\xxxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup for any .exe's or other files present. Normally, this directory is empty aside from a hidden OS level autorun.ini file that it appears this variant also modified.

 

Edited October 1, 2019 by itman