ESET Can't Completely Remove Trojan-Worm

[Ghana-Engineer 0]

We have ESET File Security installed on windows server 2008R2 Enterprise with Business License. We installed all-in-one so it has agent and file security features with HIDS Ransomware and all other important modules enabled. 

Now the client detected a Trojan or say Virus called DriveMgr.exe in their shared folder. It has renamed the folders to '__' to we enabled hidden files and folders. We detected the worm. ESET Scan is able to detect the trojan alright and delete, but the Trojan still exist inside the folder.

Find attached images and if anyone has seen this before should share how ESET  was able to completely remove this. We are a selling partner and we need be able to get a reasonable reason as to why ESET can't mitigate this.

[Marcos 5,074]

As long as there is an infected machine in the network, the worm will continue to spread to network shares and ESET will continually detect it on the server.

Please carry on as follows:
- enable advanced network protection logging in the advanced setup -> tools -> diagnostics
- wait until the malware is detected
- stop logging
- collect logs with ESET Log Collector
- upload the generated archive here or to a safe location and drop me a personal message with a download link.

Last but not least we'd recommend upgrading to a fully supported OS for which the vendor releases security updates on a regular basis.

[Ghana-Engineer 0]

@Marcos We will send you the logs alright. But why is it that ESET detects, cleans it yet the DriveMgr.exe worm still exist on the Server. Why can't ESET Completely delete it.

[Marcos 5,074]

Maybe it's just an empty file. And maybe it's just that gui hasn't refreshed after deleting the file.

[Ghana-Engineer 0]

@Marcos we started the scan yesterday and ESET will detect the worm alright, delete and it will reappear. 

[Marcos 5,074]

1 minute ago, Ghana-Engineer said:

@Marcos we started the scan yesterday and ESET will detect the worm alright, delete and it will reappear. 

Of course. That's because you have another machine in the network which is infected and from which the worm spreads to other machines.

[Ghana-Engineer 0]

@Marcos on the Network, we have installed ESET Enpoint Security on all PCs. So why are we not receiving any information on the Protect Console that ESET has detected worm on other Endpoints.?

[Marcos 5,074]

We'll see that the logs show.

[itman 1,659]

Sophos has a write up on drivemgr.exe worm here: https://docs.sophos.com/central/MTR/selfhelp/en-us/central/MTR/learningContents/lc_LNKRemediationWorkflow.html . In their write up, it's being spread via a .lnk file that runs at startup via a Win autorun entry. This would explain why it keeps reappearing.

Sophos also has a "SourceOfInfection" utility that can be used to identify network device where the .lnk autorun entries exist. Unfortunately, it appears it doesn't work on Win 10 or newer Win Server OS versions. Also appears its only of value if a Sophos AV solution is deployed since it is using that as its detection mechanism on the infected network device.

Manual source identification entails the following:

Quote

• Download Autoruns for Windows and use it to find the worm.

See How to use Microsoft Autoruns to locate undetected malware.

• Check the following locations as they're the most likely places you'll find the worm.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

• Change the user account you're viewing. A non-standard user account may be loading the worm. To view other users in Autoruns, do as follows:Click File > Run as Administrator.

Wait for the information in Autoruns to reload.

Click Users and check each user account for the worm.

This worm can hide under different user accounts. The following image shows an example of infected user account information in Autoruns.

-EDIT- The "tricky" and involved part of the above is to determine the network device where the .lnk resides in a Win autorun startup entry. It may also not be a .lnk file but suspect it is. This may or may not be on the client device where Eset detected the malware. I would however start the examination process with that device.

Another long used favorite for malware authors to drop a malicious .lnk reference is in this directory, C:\Users\xxxxxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Edited February 16, 2021 by itman

[itman 1,659]

This bugger  might also be Phorpiex Botnet malware, also know as Tldr, given its current widespread dissemination. Checkpoint has a great detailed analysis on it from which I will only note the worm spreading part:

Quote

Self-spreading Thread

In this thread, the functionality of a file-worm is implemented.

In an infinite loop with a delay of 2 seconds, Tldr enumerates the available drives using GetLogicalDrives. It reads the “Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” registry key value “NoDrives” and excludes the drives disabled by the NoDrives Windows Explorer policy from enumeration.

Then, Tldr selects only removable and remote drives. On each selected drive, it creates a folder with the name “__” and sets the attributes FILE_ATTRIBUTE_READONLY, FILE_ATTRIBUTE_HIDDEN, and FILE_ATRRIBUTE_SYSTEM to the created folder to make it invisible in Explorer by default.

The malware copies itself to this folder under the hardcoded name (“DriveMgr.exe” in our sample). Tldr acquires the volume name of the selected drive. Then it creates a shortcut with the name “{volume_name}.lnk” in the root folder of the selected drive with the target:

%windir%\system32\cmd.exe /c start __ & __\DriveMgr.exe & exit

Then Tldr moves all folders from the root path of the selected drive to the folder “__”. It also deletes all files in the root path with the following extensions:

*.lnk, *.vbs, *.bat, *.js, *.scr, *.com, *.jse, *.cmd,*.pif, *.jar, *.dll, *.vbe, *.inf”

The reason for this may be to disable all other worms that reside on the same removable drive.

As we can see, the behavior is the same as for other worms that use removable drives for spreading.

However, in Tldr v5.0, a new functionality was introduced that allows the malware to function as a file-infecting virus and infect other executables. Earlier, Phorpiex used a separate module to infect other software.

The malware scans all folders on removable and remote drives and infects all .exe files that are still not infected.

Another worm infection method this malware uses is:

Quote

Phorpiex VNC Worm Module

One of the modules we discovered in the Phorpiex arsenal is a malicious VNC client. It doesn’t have its own persistence mechanism and is normally executed by Tldr each time. This tiny malware scans random IP addresses for an open VNC server port (5900) and runs a brute-force attack using a hard-coded list of passwords. The final goal of that attack is to load and execute another malware (usually Phorpiex Tldr) on the target host.

The execution of the Phorpiex VNC Worm starts with an API bombing sandbox evasion technique.

https://research.checkpoint.com/2020/phorpiex-arsenal-part-i/

This malware also includes a NetBIOS based worm:

Quote

Phorpiex NetBIOS Worm Module

This module represents a self-spreading worm which also includes functionality for downloading an additional payload.

The NetBIOS Worm scans random IP addresses for an open 139 TCP port (NetBIOS) and runs a brute-force attack using a hard-coded list of usernames and passwords. The attack itself is performed in an infinite loop. The IP addresses for scanning are generated randomly using the rand() function and GetTickCount() results as a random seed. The only filter rule for an IP address is that it cannot start with 127, 172 or 192. A separate thread is created to communicate with each IP address. Astute readers may have already observed that the scanning functionality is quite similar to the one in the Phorpiex VNC Worm module.

The NetBIOS Worm prevents multiple executions in several instances by creating a mutex with a hardcoded name (the name varies between samples). It stops execution if the mutex already exists.

If it was loaded by Phorpiex Tldr, this module is saved with a pseudo-random name. During the self-spreading stage, the malware uploads itself with the name “WindowsDefender.exe”. In this case NetBIOS Worm must download the main Phorpiex module or another payload.

https://research.checkpoint.com/2020/phorpiex-arsenal-part-ii/

Edited February 17, 2021 by itman