Jump to content

NSIS/Injector.DBG in the infected file *.pdf.img

HUGOK

By HUGOK
in Malware Finding and Cleaning

 Share

Recommended Posts

HUGOK

HUGOK 0

Posted
Posted (edited)

I use it Endpiont Security 11.1.2052. Today, an employee opened the infected Trojan NSIS/Injector.DBG file, the file had the extension *pdf.img. For the first time, ESET was unable to remove Tojan, it turned out that it had created a Virtual Disk on which it had saved the infected file. For now, I have uninstalled Virtual Disk and am doing a full scan

Edited by HUGOK
  • Administrators
Marcos

Marcos 5,725

Posted
  • Administrators
Posted

It's unlikely that a NSIS/Injector would be that advanced and created a virtual disk. If you still have the malicious sample or at least its hash, please provide it. Also provide logs collected with ESET Log Collector. I take it that the malware has been cleaned completely and there are no issues, is that correct?

HUGOK

HUGOK 0

Posted
  • Author
Posted (edited)

I have an infected message on the mail server, I can send it for analysis and to check why Eset was unable to remove it from the created Virtual Disk. Please provide only the address to which I can send it. 

Edited by HUGOK
itman

itman 1,921

Posted
Posted (edited)
6 hours ago, Marcos said:

It's unlikely that a NSIS/Injector would be that advanced and created a virtual disk

My guess is a PowerShell script was used to silently create the virtual drive. Manual method show below. Substitute .img for .iso;

Quote

Mount ISO image command

To mount an ISO image using a PowerShell command, use these steps:

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
  3. Type the following command to mount an ISO image and press Enter:Mount-DiskImage -ImagePath "PATH\TO\ISOFILE"In the command, make sure to replace the "PATH\TO\ISOFILE" with the actual path of the .iso file.For example, this command mounts an image in the "E:\" virtual drive:Mount-DiskImage -ImagePath "E:\Windows10.iso"

https://www.windowscentral.com/how-mount-or-unmount-iso-images-windows-10

 

Edited by itman
HUGOK

HUGOK 0

Posted
  • Author
Posted (edited)

After running the infected file, an additional disk was created simulating a DVD drive, drive D, and the infected file was automatically saved on it. Eset was unable to remove it and I don't know why it allowed the creation of such a disk, i.e. the virus was not blocked by the program. After removing the created drive from the device manager and thoroughly scanning it, everything is ok for now

ESET.thumb.jpg.44d11b7d0e59b0ade3c889d4457b6d05.jpg

Edited by HUGOK
  • Administrators
Marcos

Marcos 5,725

Posted
  • Administrators
Posted

The malicious file has a double extension (.pdf.img). As an img file, Windows mounts it automatically as a virtual drive when you open it. If detected, after a reboot the image won't be mounted and the NSIS installer will be deleted.

Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...