Remediation of virus threat

[NewToThis 0]

ESET detected the following viruses in a ZIP folder: https://www.virustotal.com/gui/file/3265ddd63eba650b97a10f9b0c99202fa0725be926d98ef4b714622af1e1635f/detection

Also, here is the Triage report on the files: https://tria.ge/240201-td6x7shbg3/

I am currently running a full system scan with ESET.  However, I am having issues understanding what the viruses may have done to the computer.  Would someone please help explain what these viruses installed or hacked on the computer?  Merely deleting the .ZIP file and the extracted files is not enough; I am going to have to patch any holes that were opened by the viruses.

[Marcos 5,228]

Since the threat was detected and ESET prevented it from running, nothing was done to your computer. Also malware in an archive cannot do harm unless extracted and run undetected.

[NewToThis 0]

Allow me to clarify; the malware in the archive was extracted and run before ESET was installed; ESET was not present at the time to prevent it from running.  After installing ESET, it detected and deleted the initially downloaded archive, but it did not seem to remediate any potential damage caused by the archive.

As seen in the VirusTotal and Triage links I posted, the archive contains two .bat files that were run before ESET was install.  I need to know what those .bat files did so I can reverse any changes made by them.  As stated in my original post:

7 hours ago, NewToThis said:

Would someone please help explain what these viruses installed or hacked on the computer?  Merely deleting the .ZIP file and the extracted files is not enough; I am going to have to patch any holes that were opened by the viruses.

I would greatly appreciate your help.

 

 

[Nightowl 206]

50 minutes ago, NewToThis said:

Allow me to clarify; the malware in the archive was extracted and run before ESET was installed; ESET was not present at the time to prevent it from running.  After installing ESET, it detected and deleted the initially downloaded archive, but it did not seem to remediate any potential damage caused by the archive.

As seen in the VirusTotal and Triage links I posted, the archive contains two .bat files that were run before ESET was install.  I need to know what those .bat files did so I can reverse any changes made by them.  As stated in my original post:

I would greatly appreciate your help.

 

 

In the behaviour section , you can see what the BAT has done in the VirusTotal link , you could reverse it's changes

Better also remove the Adobe products from your PC , and also run a SFC /scannow in an admin CMD to see if there are changes to the Windows itself , so Windows can repair itself back to normal.

Also try to deep scan your PC again with ESET (deep scan) and if you need a second opinion after that you could download another scanner or use Defender(it sucks) for a scan , maybe like HitmanPro as second opinion scanner next to ESET , to see if there are any remnants.

[stackz 113]

The final payload is xworm 5.2 -

https://www.virustotal.com/gui/file/e5c423b29909bed8ab996d2f73db11e1e72d84a6ace0ba73feb1411764259d50?nocache=1

If Windows Defender is used, then the "C" drive is added as an exclusion. Like all RATs there's potentially passwords stolen and information from the clipboard.

There should be a scheduled task (OneNote 71730) and shell:startup entry. 

This is the loader for the above file:

https://www.virustotal.com/gui/file/7d5742c543a7f6412985e3ac832204931be7e1e20ca600e7434b534bbbc1e3a9

Edited February 6 by stackz

[Nightowl 206]

1 hour ago, stackz said:

There should be a scheduled task

It's true better to check Task Scheduler , it will try to revive itself from there.

[NewToThis 0]

Thanks for everyone's help!  Neither Hitman Pro nor Malwarebytes found anything, and I am running a Deep Scan with ESET now.  I did not see anything in shell:startup, and I did not find that OneNote task in Task Scheduler.  However, I have attached the results of a cmd "schtasks /query" if you could double-check that nothing is amiss there.  

Any other insights into things I should check in relation to those .bat files is greatly appreciated.

Scheduled Tasks - 02-06-2024.txt

[itman 1,739]

10 hours ago, stackz said:

The final payload is xworm 5.2 -

Here's an article on XWorm and what it does: https://www.pcrisk.com/removal-guides/27436-xworm-rat .

The main question is what credentials were compromised prior to discovery of this malware? Resetting of existing passwords and the like at a minimum would be advisable. 

[NewToThis 0]

Thanks, everyone!  Since none of the scans have actually found the xworm payload and have only found the initial .bat files from the archive, does that mean I should be in the clear, barring any issues found in the Task Scheduler log I attached earlier? Perhaps the xworm payload did not get a chance to download?

[SeriousHoax 86]

Do two more scans with Norton Power Eraser and Kaspersky Virus Removal Tool. These two are the best second opinion scanners. 

[itman 1,739]

1 hour ago, NewToThis said:

Since none of the scans have actually found the xworm payload and have only found the initial .bat files from the archive, does that mean I should be in the clear

Did you actually extract the archive and run the .bat or any other executables in the extracted archive folder? If the answer is no, you are OK.

The key item here is if the archive was extracted or not. If the archive has been extracted and you didn't do so manually, assume malware did so.

[NewToThis 0]

Yes, as stated in a previous post, the archive was extracted and at least one .bat was run.  Norton Power Eraser and Kaspersky Virus Removal Tool did not find anything.  @Nightowl and @stackz, given everything I have done today with no further detections past the initial .bat files, do you think I am in the clear?  If you can also look over the Task Scheduler log I attached earlier, that would be great.

[itman 1,739]

Below are two links to web sites that specialize is malware removal, cleanup. etc.. They use specialized tools such as Farbar Recovery Scan Tool (FRST) that can detect system modifications done by malware;

https://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-help/

https://malwaretips.com/forums/windows-malware-removal-help-support.10/

[NewToThis 0]

Since I haven't received any further feedback from anyone about this issue, I will provide an update.  After a deep scan of over 3 million items, ESET found nothing.  So, after running five scans from five different vendors, nothing was found beyond the two .bat files contained in the archive.  I do not believe the "final payload" was ever downloaded despite at least one .bat file being opened, so perhaps the link to the payload was dead or the Norton firewall blocked it in the background.

If anyone has any additional thoughts on the VirusTotal/Triage information I presented, feel free to share.  However, I am cautiously optimistic that everything is okay and that the "final payload" was avoided.  Thanks, everyone!

[stackz 113]

The loader and xworm payload are contained in the batch file. The payload is an encoded resource of the loader. If it's not executed as administrator, or is run in a virtual environment or thinks it's being debugged/analyzed, the loader will exit.

If there were no other detections outside of the batch files, then I doubt infection took place. If your 'C' drive wasn't added as an exclusion in Defender, then the loader likely exited without infecting.

Edited February 9 by stackz

[NewToThis 0]

5 minutes ago, stackz said:

The loader and xworm payload are contained in the batch file. If it's not executed as administrator, or is run in a virtual environment or thinks it's being debugged/analyzed, the loader will exit.

If there were no other detections outside of the batch files, then I doubt infection took place. If your 'C' drive wasn't added as an exclusion in Defender, then the loader likely exited without infecting.

Thanks for explaining it to me!  Since Norton was the registered antivirus in Windows Security when the batch file was ran, I believe Windows Defender and its exclusion options were unavailable at the time.  So, even though Norton didn't prevent the archive from being downloaded and the .bat from running, perhaps Norton's presence prevented the "C drive exclusion" from happening.  I still think moving away from Norton and perhaps to ESET is the best option; Norton proved to be useless in stopping the archive from being downloaded in the first place.