Jump to content

Recommended Posts

Hi I have a problem with a rather annoying virus on my company.Eset nod 32 antivirus does not detect it.The little rascal starts a procces and copies itself to every usb drive you plug in.But everytime it creates folders with random names so it us very difficult to look for it by name on the web.Here are some photos I took, please if you now how to get rid of it or an automatic way to erase al of the files from usb drives let me know Thanks.

20190927_132959.jpg

20190927_132924.jpg

Share this post


Link to post
Share on other sites

According to the screen shot, names and especially the program icon, it's an AutoHotkey script malware. Please submit both the exe and txt file (the script itself) along with logs collected by ESET Log Collector to samples[at]eset.com.

Share this post


Link to post
Share on other sites

If it is AutoHotkey script malware, Trend Micro has a detailed analysis on a variant from last spring here: https://blog.trendmicro.com/trendlabs-security-intelligence/potential-targeted-attack-uses-autohotkey-and-malicious-script-embedded-in-excel-file-to-avoid-detection/ . Obviously whatever this current infection is, it is not this variant since Eset and most AV vendors have a signature for it.

The main points to note:

1. AutoHotKey is a legit executable. It is the script dropped with it that starts the malware download infection process.

2. It appears the attack is predominately done via e-mail attachment.

3. A malicious macro is used to start the infection "ball rolling."

Have you permanently disabled all macro execution in MS Office executable's? Preferably by Group Policy means so individual uses can't re-enable them.  

 

Edited by itman

Share this post


Link to post
Share on other sites

If you are not using the Win Explorer display hidden files option, switch to that. Then check if the .txt file shown in your second screen shot is actual shown as xxxxxxxxxxxxx.txt.ahk.

Share this post


Link to post
Share on other sites

Thanks for your replies but none of the above panned out.How can I submit files for analisis in a secure way??? If I try via email antivirus alert pops up.

Share this post


Link to post
Share on other sites
Posted (edited)
23 minutes ago, Richard666 said:

Thanks for your replies but none of the above panned out.How can I submit files for analisis in a secure way??? If I try via email antivirus alert pops up.

There are two ways to do that :

1)Through the GUI of ESET software you have , you can send a sample for analysis , here is more detailed information about it : https://support.eset.com/kb141/#esetproduct

2)Archive the infected files , encrypt them with a password of infected and hide the names , it should prevent the scanner of your email from identifying the malicious files unless they prevent archives from being sent through email.

Edited by Rami

Share this post


Link to post
Share on other sites
Posted (edited)

AutoHotkey

4 hours ago, Richard666 said:

Thanks for your replies but none of the above panned out.

Appears you're still infected with this bugger.

Per the Trend Micro article, that variant used a .lnk file in a Win startup directory for persistence. On an infected device, check this directory, C:\Users\xxxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, for any .lnk files present. If they exist, checkout what they are pointing to. It might just be this AutoHotkey malware.

Note that persistence can be achieved by a number of methods other than the above; registry Run keys, scheduled task, creation of a Win service, WMI consumer event, etc..

-EDIT- In the Faux Kaspersky malware instance that more closely exhibits the behavior you are experiencing, persistence was had via:

Quote

If you are infected with the malware, navigate to %appdata%\Roaming\ and remove the Kaspersky Internet Security 2017\ directory, related files should be also removed from the startup directory inside the start menu.

So you want to closely examine any sub-directories in C:\Users\xxxxxxx\AppData\Roaming\ for a directory created by the malware. And again, look in this directory, C:\Users\xxxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup for any .exe's or other files present. Normally, this directory is empty aside from a hidden OS level autorun.ini file that it appears this variant also modified.

 

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...