Ghana-Engineer 0 Posted February 16, 2021 Share Posted February 16, 2021 We have ESET File Security installed on windows server 2008R2 Enterprise with Business License. We installed all-in-one so it has agent and file security features with HIDS Ransomware and all other important modules enabled. Now the client detected a Trojan or say Virus called DriveMgr.exe in their shared folder. It has renamed the folders to '__' to we enabled hidden files and folders. We detected the worm. ESET Scan is able to detect the trojan alright and delete, but the Trojan still exist inside the folder. Find attached images and if anyone has seen this before should share how ESET was able to completely remove this. We are a selling partner and we need be able to get a reasonable reason as to why ESET can't mitigate this. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted February 16, 2021 Administrators Share Posted February 16, 2021 As long as there is an infected machine in the network, the worm will continue to spread to network shares and ESET will continually detect it on the server. Please carry on as follows: - enable advanced network protection logging in the advanced setup -> tools -> diagnostics - wait until the malware is detected - stop logging - collect logs with ESET Log Collector - upload the generated archive here or to a safe location and drop me a personal message with a download link. Last but not least we'd recommend upgrading to a fully supported OS for which the vendor releases security updates on a regular basis. Link to comment Share on other sites More sharing options...
Ghana-Engineer 0 Posted February 16, 2021 Author Share Posted February 16, 2021 @Marcos We will send you the logs alright. But why is it that ESET detects, cleans it yet the DriveMgr.exe worm still exist on the Server. Why can't ESET Completely delete it. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted February 16, 2021 Administrators Share Posted February 16, 2021 Maybe it's just an empty file. And maybe it's just that gui hasn't refreshed after deleting the file. Link to comment Share on other sites More sharing options...
Ghana-Engineer 0 Posted February 16, 2021 Author Share Posted February 16, 2021 @Marcos we started the scan yesterday and ESET will detect the worm alright, delete and it will reappear. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted February 16, 2021 Administrators Share Posted February 16, 2021 1 minute ago, Ghana-Engineer said: @Marcos we started the scan yesterday and ESET will detect the worm alright, delete and it will reappear. Of course. That's because you have another machine in the network which is infected and from which the worm spreads to other machines. Link to comment Share on other sites More sharing options...
Ghana-Engineer 0 Posted February 16, 2021 Author Share Posted February 16, 2021 @Marcos on the Network, we have installed ESET Enpoint Security on all PCs. So why are we not receiving any information on the Protect Console that ESET has detected worm on other Endpoints.? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,257 Posted February 16, 2021 Administrators Share Posted February 16, 2021 We'll see that the logs show. Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 16, 2021 Share Posted February 16, 2021 (edited) Sophos has a write up on drivemgr.exe worm here: https://docs.sophos.com/central/MTR/selfhelp/en-us/central/MTR/learningContents/lc_LNKRemediationWorkflow.html . In their write up, it's being spread via a .lnk file that runs at startup via a Win autorun entry. This would explain why it keeps reappearing. Sophos also has a "SourceOfInfection" utility that can be used to identify network device where the .lnk autorun entries exist. Unfortunately, it appears it doesn't work on Win 10 or newer Win Server OS versions. Also appears its only of value if a Sophos AV solution is deployed since it is using that as its detection mechanism on the infected network device. Manual source identification entails the following: Quote Download Autoruns for Windows and use it to find the worm. See How to use Microsoft Autoruns to locate undetected malware. Check the following locations as they're the most likely places you'll find the worm. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Change the user account you're viewing. A non-standard user account may be loading the worm. To view other users in Autoruns, do as follows:Click File > Run as Administrator. Wait for the information in Autoruns to reload. Click Users and check each user account for the worm. This worm can hide under different user accounts. The following image shows an example of infected user account information in Autoruns. -EDIT- The "tricky" and involved part of the above is to determine the network device where the .lnk resides in a Win autorun startup entry. It may also not be a .lnk file but suspect it is. This may or may not be on the client device where Eset detected the malware. I would however start the examination process with that device. Another long used favorite for malware authors to drop a malicious .lnk reference is in this directory, C:\Users\xxxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Edited February 16, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 16, 2021 Share Posted February 16, 2021 (edited) This bugger might also be Phorpiex Botnet malware, also know as Tldr, given its current widespread dissemination. Checkpoint has a great detailed analysis on it from which I will only note the worm spreading part: Quote Self-spreading Thread In this thread, the functionality of a file-worm is implemented. In an infinite loop with a delay of 2 seconds, Tldr enumerates the available drives using GetLogicalDrives. It reads the “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” registry key value “NoDrives” and excludes the drives disabled by the NoDrives Windows Explorer policy from enumeration. Then, Tldr selects only removable and remote drives. On each selected drive, it creates a folder with the name “__” and sets the attributes FILE_ATTRIBUTE_READONLY, FILE_ATTRIBUTE_HIDDEN, and FILE_ATRRIBUTE_SYSTEM to the created folder to make it invisible in Explorer by default. The malware copies itself to this folder under the hardcoded name (“DriveMgr.exe” in our sample). Tldr acquires the volume name of the selected drive. Then it creates a shortcut with the name “{volume_name}.lnk” in the root folder of the selected drive with the target: %windir%\system32\cmd.exe /c start __ & __\DriveMgr.exe & exit Then Tldr moves all folders from the root path of the selected drive to the folder “__”. It also deletes all files in the root path with the following extensions: *.lnk, *.vbs, *.bat, *.js, *.scr, *.com, *.jse, *.cmd,*.pif, *.jar, *.dll, *.vbe, *.inf” The reason for this may be to disable all other worms that reside on the same removable drive. As we can see, the behavior is the same as for other worms that use removable drives for spreading. However, in Tldr v5.0, a new functionality was introduced that allows the malware to function as a file-infecting virus and infect other executables. Earlier, Phorpiex used a separate module to infect other software. The malware scans all folders on removable and remote drives and infects all .exe files that are still not infected. Another worm infection method this malware uses is: Quote Phorpiex VNC Worm Module One of the modules we discovered in the Phorpiex arsenal is a malicious VNC client. It doesn’t have its own persistence mechanism and is normally executed by Tldr each time. This tiny malware scans random IP addresses for an open VNC server port (5900) and runs a brute-force attack using a hard-coded list of passwords. The final goal of that attack is to load and execute another malware (usually Phorpiex Tldr) on the target host. The execution of the Phorpiex VNC Worm starts with an API bombing sandbox evasion technique. https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/ This malware also includes a NetBIOS based worm: Quote Phorpiex NetBIOS Worm Module This module represents a self-spreading worm which also includes functionality for downloading an additional payload. The NetBIOS Worm scans random IP addresses for an open 139 TCP port (NetBIOS) and runs a brute-force attack using a hard-coded list of usernames and passwords. The attack itself is performed in an infinite loop. The IP addresses for scanning are generated randomly using the rand() function and GetTickCount() results as a random seed. The only filter rule for an IP address is that it cannot start with 127, 172 or 192. A separate thread is created to communicate with each IP address. Astute readers may have already observed that the scanning functionality is quite similar to the one in the Phorpiex VNC Worm module. The NetBIOS Worm prevents multiple executions in several instances by creating a mutex with a hardcoded name (the name varies between samples). It stops execution if the mutex already exists. If it was loaded by Phorpiex Tldr, this module is saved with a pseudo-random name. During the self-spreading stage, the malware uploads itself with the name “WindowsDefender.exe”. In this case NetBIOS Worm must download the main Phorpiex module or another payload. https://research.checkpoint.com/2020/phorpiex-arsenal-part-ii/ Edited February 17, 2021 by itman Link to comment Share on other sites More sharing options...
Recommended Posts