Jump to content

Infected by RiskWareIStealer - feedback


Recommended Posts

On 9/20/2016 at 8:13 PM, Ried said:

Hello Hazel,

I cannot link you to a specific site that has it because all the sites are risky.  Just read the hits on this Google Search https://www.google.com/#q=kmsauto

You would have to ask whomever did the install of Windows and/or MS Office 2016 how this got onto the machine.  Generally speaking, KMSAuto is a way to 'forge' a license for Windows or MS Office

 

I sincerely hope you have since purchased a new PC, or at the very least did a clean install of Windows. 

 

Ried is incorrect - KMSSS.exe is NOT KMSAuto or KMSPico. It's named very similarly explicitly to fool you and AVs into thinking it's just riskware. It's not. 

https://www.reasoncoresecurity.com/kmsss.exe-3b84096d9572840d7c089167c7f52c4e8a914e18.aspx

It's actually high risk full-blown viral malware with keylogging and remote trojan properties. I know this because like you, I began receiving mountains of spam out of the blue one day. Then about a month later, KMSSS.exe installed several services on my machine. My security audit logs revealed several failed and successful login attempts to system accounts such as "NT AUTHORITY", "SYSTEM", "BUILTIN/ADMINISTRATOR", etc. Luckily, Kaspersky live protection was able to zap the services away before they could do any real harm - but I still did a clean (genuine) install of Windows 10 and tightened my network security up by closing unused ports just to be safe. I've also stood up a Snort Linux box on my network to prevent possible future intrusions. All of this happened to me just last week!

 

Point is...this malware should not be ignored or dismissed as riskware because of its misleading name. It's an *extremely* dangerous swiss army knife capable of impersonating security service tokens and can certainly open the door to ransomware attacks. 

Link to post
Share on other sites

  • Staff

 In that topic, this was the location of that file: C:\ProgramData\KMSAutoS\bin\KMSSS.exe

Your link to reasoncoresecurity simply shows that the particular KMSSS.exe that was uploaded there, happened to be infected with Sality.  Sality was a polymorphic file infector that was infecting machines a couple  of years ago. Given that the behavior of Sality is to systematically infect every .exe, .doc, .xml, .jpeg etc, it's not surprising that when looking up files, you may find some flagged as Sality.

I stand by my initial conclusion that it does in fact belong KMSAuto. Had he been infected with Sality, his onboard AV certainly would have been reporting it. AV's have known about Sality for years - it's nothing new.  Malwarebytes also would have scanned and seen many more files than just that one. I also would have seen signs of file modifications in the logs. There are many factors to consider when trying to determine an infection.

 

 

 

 

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

We're sorry. It looks like your topic was somehow overlooked. Due to the length of time we'll go ahead and close this topic now but if you still actually need help please send a private message to one of the Moderators and we'll assist you.Thank you and sorry we missed your topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.