Jump to content

Subject: Tanechka Threat


PCJedi
 Share

Recommended Posts

Subject: Tanechka Threat

Date: 13 NOV 27

 

Threat Description:   This threat appears as a set of files in a folder under C:\Windows and in C:\Windows\System32.   The threat installs command files, user accounts, administrator accounts and scheduled tasks.   The goal of the threat is to execute the scheduled tasks which initiate a data mining operation on outside computers based on IP addresses.   The CPU utilization quickly approaches 100%.   The ISP notices the activity as malicious DDS efforts.   The threat can be disabled and removed manually.   The infection returns upon system reboot.  

 

Infected System Details

OS Name:                   Microsoft® Windows® Server 2003, Standard Edition

OS Version:                5.2.3790 Service Pack 2 Build 3790

OS Manufacturer:           Microsoft Corporation

OS Configuration:          Primary Domain Controller

OS Build Type:             Multiprocessor Free

Original Install Date:     8/20/2011, 8:15:57 PM

System Manufacturer:       HP

System Model:              ProLiant ML150 G6

System Type:               X86-based PC

Processor(s):              4 Processor(s) Installed.

                           [01]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~2132 Mhz

                           [02]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~2132 Mhz

                           [03]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~2132 Mhz

                           [04]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~2132 Mhz

BIOS Version:              HP     - 20110118

 

- There are no commands in the Start menu or registry HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion entries of Run or RunOnce.

- System is running AVG anitivirus, which does not detect threat

- System has been checked with Malwarebytes, which does not detect threat

 

 

Description of files:

 

C:\WIndows\backup009.cmd := executed by scheduled task

Code in file:

netsh advfirewall set allprofiles state off

 

C:\tanechka := contains the data mining files

Files in Folder

cygcrypto-1.0.0.dll

cyggcc_s-1.dll

cyggcrypt-11.dll

cyggnutls-26.dll

cyggpg-error-0.dll

cygiconv-2.dll

cygidn-11.dll

cygintl-8.dll

cygtasn1-3.dll

cygwin1.dll

cygz.dll

files.txt

gzip.exe

libeay32.dll

msvcr71.dll

passwd.txt

passwd1.txt

passwd2.txt

passwd3.txt

passwd4.txt

passwd5.txt

passwd6.txt

qsort.exe

QtCore4.dll

QtGui4.dll

random.exe

ranges.txt

ranges.txt.random

ranges_eu.txt

ranges_of.txt

ranges_us.txt

rdbrute.cmd

realvnc.exe

scanning.cmd

scan_ranges.txt

sleep.exe

ssleay32.dll

sysinfo.log

tasklist.tmp

users.txt

users2.txt

users3.txt

VNC_bypauth.txt

wget.exe

 

Notes -

Users - includes usernames the program uses to guess access to other computers

Ranges - includes IP ranges the program uses to attack

passwd - includes passwords the program uses to guess access to other computers

 

 

Active Directory Creations

user133, user134, user13# ....

admin133, admin134, admin 13#

 

Scheduled Tasks

At1, At2, At# ...

Scheduled for everyday at 12:00 AM

Created by NetScheduleJobAdd

Run as NT Authority System

 

Manual Disable

Terminite all "cmd" processes in Task Manager.

Delete tancheka folder

Delete users and admins from Active Directory

Delete At scheduled tasks

Delete *.cmd files in C:\WIndows\System32

 

Requested Action:  Permanent removal.  I am not sure where to look further to identify how this threat is re-installing itself after manual removal.

 

Updates

131128 – Most recent Malwarebytes scan found LTC-MINERD infection.   Waiting on server reboot to check results.

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.