RTP Trojan (wermreport.exe and wermgpd.exe)

[Astrowiz]

Malwarebytes full system scans are coming up clean for workstations and servers on this network, but when a user logs in the RTP is popping up a Trojan block referencing  "wermreport.exe" and "wermgpd.exe".  When we browse to C:\Windows\System32\wermgpd.exe or wermreport.exe don't exist.  I have attached FRST, Addition and RTP logs.  

-Log Details-
Protection Event Date: 8/4/20
Protection Event Time: 1:32 PM
Log File: 6774a778-d678-11ea-a844-509a4c1b0b20.json

-Software Information-
Version: 4.1.2.73
Components Version: 1.0.990
Update Package Version: 1.0.27939

-System Information-
OS: Windows 10 (Build 15063.1418)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\wermreport.exe, Blocked, -1, -1, 0.0.0

-Website Data-
Category: Trojan
Domain: 
IP Address: 88.119.175.96
Port: 443
Type: Outbound
File: C:\Windows\System32\wermreport.exe

-Log Details-
Protection Event Date: 8/4/20
Protection Event Time: 10:55 AM
Log File: 8700f2a6-d662-11ea-8255-000c29d22054.json

-Software Information-
Version: 4.1.2.73
Components Version: 1.0.990
Update Package Version: 1.0.27937
 

-System Information-
OS: Windows Server 2012 R2
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\wermgpd.exe, Blocked, -1, -1, 0.0.0

-Website Data-
Category: Trojan
Domain: 
IP Address: 88.119.175.96
Port: 443
Type: Outbound
File: C:\Windows\System32\wermgpd.exe

Any insight on removal is greatly appreciated.

Addition.txt FRST.txt Malwarebytes-Workstation.txt MalwarebytesLog-Server.txt

[AdvancedSetup]

Hello @Astrowiz

Is this a business system? Your email indicates a personal user but the installed software would indicate a remote managed system. Using the Consumer product to manage workstations and servers is not the correct product to be using is why I ask.

I see a few things wrong with the system but not sure they're directly the cause of this or not. The detection is from 8 months ago so it's nothing new.

Is the installation of Malwarebytes recent?

The following are items that need attention or further review, but again they may not be due to the issue you're seeing.

 

The computer is running an OLD compromised version of Java. I would highly recommend uninstalling Java and if possible run the system without Java. If you really have to have it then make sure it's up to date at all times. https://java.com

 

"C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}" was unlocked. <==== ATTENTION (tasks should not normally be locked)

"C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}" was unlocked. <==== ATTENTION (tasks should not normally be locked)

Unless some type of advanced infection has gotten on the system this would seem semi-normal

"C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot" could not be unlocked. <==== ATTENTION

https://www.thewindowsclub.com/update-orchestrator-service-in-windows-10

 

The computer has what appears to be old drivers for both Webroot Security and Symantec Security either listed or loading but installation points are not listed. I would suggest removing such entries if not set or running on purpose. In many cases they're only there due to a failed or poor uninstall.

S3 NAVENG; \??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.9.3.13\Definitions\SDSDefs\20171006.017\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.9.3.13\Definitions\SDSDefs\20171006.017\NAVEX15.SYS [X]

S2 WRSVC; C:\Program Files (x86)\Webroot\WRSA.exe [4876832 2020-08-04] (Webroot Inc. -> Webroot)
S3 wrUrlFlt; C:\Windows\system32\DRIVERS\wrUrlFlt.sys [58304 2020-08-04] (Webroot, Inc -> Webroot)

 

Kaspersky also blocks this IP - Why or what is calling this IP we'd need to do some more research to see. We can probably use TCPVIEW from Microsoft for that :  https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview

https://www.virustotal.com/gui/url/50db7cce646dc529a4b994c4a000bbb5b85ca785ed074bb4792ca6639270c642/detection

I can write a script to do some generic clean up and remove said drivers if you'd like - just let me know.

 

Please run the following on the system to check for old or outdated software.

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.
• This tool is safe.   Smartscreen is overly sensitive.
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Thanks

 

Edited August 6, 2020 by AdvancedSetup
updated information

[AdvancedSetup]

Based on the file name it might have something to do with the Mirai (malware)

https://www.virustotal.com/gui/ip-address/88.119.175.96/relations

https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/

https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/

https://en.wikipedia.org/wiki/Mirai_(malware)

https://krebsonsecurity.com/tag/mirai-botnet/

 

[Astrowiz]

Thank you for getting back to me.  This was a new install of Malwarebytes on the workstation and the RTP alerts after the install is what triggered this thread.  

*******

You wrote:  "Kaspersky also blocks this IP - Why or what is calling this IP we'd need to do some more research to see. We can probably use TCPVIEW from Microsoft for that"  

-- I installed TCPView and monitored most of today.  That IP never came up in the monitor.  It appears to only make contact to "x.x.175.96 bacloud.com" when a user logs in.  

********

Is there a way I can identify what tasks are being reference below?  Did a quick search of the registry and only found two entries (screenshots submitted).  I can't tell what Task this is referencing.

"C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}" was unlocked. <==== ATTENTION (tasks should not normally be locked)

"C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}" was unlocked. <==== ATTENTION (tasks should not normally be locked)

-- I am reviewing the Task Scheduler items to see which ones are configured to trigger at logon.

******

S3 NAVENG; \??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.9.3.13\Definitions\SDSDefs\20171006.017\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files\Symantec.cloud\EndpointProtectionAgent\NortonData\22.9.3.13\Definitions\SDSDefs\20171006.017\NAVEX15.SYS [X]

--  These are left over from an old installation of Symantec and will need to be cleaned off.  The Webroot installation is new, so it is odd that it would reference old drivers.

*******

"C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot" could not be unlocked. <==== ATTENTION

I use a 3rd party patch management program and the service is currently set to Manual.  Is it possible the patch management program has something to do with this entry?

********

Thanks again for all your valued insight.  The way this is looking, I will most likely wipe the workstation and start with a fresh install since we can't identify what is making that call out with "wermgpd and wermreport" unless you have additional ideas on how to locate the source.

[Astrowiz]

One additional note, I referenced the links you supplied regarding Miari botnet and it appears to be associated with Linux and IoT devices using the Linux kernal.  Did I miss one that said it could impact Windows OS as well?  Thx again!

[AdvancedSetup]

The issue or possible concern is that devices on the same network such as Internet of Things devices or printers, Linux, etc could potentially be affecting the network. If there are no such devices then all should be well.

The items for the Tasks are physical folders on the hard drive not entries in the Registry

C:\Windows\System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202

I did check with our Team and the IP was removed from blocking as the threat no longer exists. However, why it is/was trying to connect is unknown

Not that Webroot was using old driver but it did not appear to have the full interface installation entry for it but there was at least one service and / or a task calling it.

I probably wouldn't rebuild the system for this alone unless there are multiple other systems on the same network and none of them are having this issue then perhaps a quick rebuild might be in order just to be safe.

If you'd like to do other scans or checks though please let me know.

Thanks

 

[Astrowiz]

15 hours ago, AdvancedSetup said:

There are several workstations on this network that are reporting this RTP block which is concerning if we can't identify what is calling this request.  If you have additional scans or checks we can run, I will do so.  Many thanks!

 

[AdvancedSetup]

Please run the following on one of the affected computers.

Thanks

 

[Astrowiz]

Scan completed with no detections.

[AdvancedSetup]

Please go ahead and uninstall Malwarebytes and reinstall it using the following MBST tool.

Uninstall and reinstall Malwarebytes using the Malwarebytes Support Tool

Then after the reinstall run a new scan.

 

• If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

[Astrowiz]

Ran the Uninstall with the support tool you provided.  Post reboot it installed the latest version.  I ran a new scan and there were 0 detections. Log file attached.

8-10-2020 scan.txt

[AdvancedSetup]

Thank you @Astrowiz

Please keep an eye on it but hopefully it should be okay now.

We can have you run another 3rd party antivirus scan to double-check as well

 

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you