Jump to content

CoinMiner worm removing


DNK
 Share

Recommended Posts

Hi All,

My server had infected with CoinMiner "*****youmm_consumer and *****youmm2_consumer". I have tried all sugguestions follow the links:

https://support.sophos.com/support/s/article/KB-000037977?language=en_US

https://support.sophos.com/support/s/article/KB-000038535?language=en_US&c__displayLanguage=en_US

I also scan and quarantined all worms with Malwarebytes Premium license. It was easy to remove all worm. But the result wasn't as expected. After server restart, all "*****youmm" came back again, even tried in safemode.

Have anyone can help me to completely clear these worms?

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

  • Root Admin

Hello @DNK and :welcome:

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

On 11/19/2020 at 12:13 PM, AdvancedSetup said:

Hello @DNK and :welcome:

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Hello @AdvancedSetup,

Here are the logs after run FRST.

Thank you.

FRST.rar

Link to post
Share on other sites

  • Root Admin

May I ask why you have Google Chrome on a $6K dollar licensed Server.  

Platform: Windows Server 2016 Datacenter Version 1607 14393.4046 (X64) Language: English (United States)
Default browser: Chrome

Datacenter is a very special class server and should not be used by anyone for browsing the Internet. Generally speaking most Corporate Customers have tens or hundreds of thousands of dollars riding on the Server remaining clean, safe, and running all the time. Installing anything for general purpose or to get a "Desktop Experience" just seems to fly in the face of security.

You now have 5 different antivirus products running on the system as well which could easily cause a conflict or even possibly a system freeze.

  • Emsisoft
  • HitmanPro.Alert
  • Malwarebytes
  • Sophos
  • Windows Defender

 

Is Vietsoft your company?

What is this batch file doing?

HKLM\...\Run: [BGClients] => cmd /c start /min c:\windows\system32\wbem\123.bat

 

This is a valid WMI class, but not in the way it's called.  __IntervalTimerInstruction

WMI:subscription\__TimerInstruction->fuckyoumm2_itimer:: <==== ATTENTION
WMI:subscription\__TimerInstruction->fuckyoumm_itimer:: <==== ATTENTION
WMI:subscription\__IntervalTimerInstruction->fuckyoumm2_itimer:: <==== ATTENTION
WMI:subscription\__IntervalTimerInstruction->fuckyoumm_itimer:: <==== ATTENTION

You would need to see what was setup in WMI under these entries to see if they're valid or not.

 

The server is also experiencing an activation event issue that you should investigate further.

Error: (11/20/2020 01:37:58 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007139F
Command-line arguments:
RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=21c56779-b449-4d20-adfc-eece0e1ad74b;NotificationInterval=1440;Trigger=TimerEvent

 

 

It looks like something tried to install but failed

Error: (11/20/2020 12:57:31 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: MsiExec.exe, version: 5.0.14393.2430, time stamp: 0x5b691f6b
Faulting module name: MSI9E61.tmp, version: 1.10.1051.0, time stamp: 0x5f246e10
Exception code: 0xc0000005
Fault offset: 0x000000000000f65b
Faulting process id: 0xa0
Faulting application start time: 0x01d6be9d4d3383eb
Faulting application path: C:\Windows\System32\MsiExec.exe
Faulting module path: C:\Windows\Installer\MSI9E61.tmp
Report Id: 3f3fe3cf-df31-4d46-8f18-afc4027f65e2
Faulting package full name:
Faulting package-relative application ID:

 

Where did you try to download AutoRuns from? That is a Microsoft file, but the version you have Windows Defender believes it's a Trojan

Date: 2020-11-18 16:37:36.687
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:

https://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:JS/Adodb.gen!D&threatid=2147602890&enterprise=0
Name: TrojanDownloader:JS/Adodb.gen!D
ID: 2147602890
Severity: Severe
Category: Trojan Downloader
Path: file:_C:\Users\Administrator\AppData\Local\Temp\2\WMI9583.tmp.txt
Detection Origin: Local machine
Detection Type: Generic
Detection Source: Real-Time Protection
Process Name: C:\Users\Administrator\Desktop\Autoruns\Autoruns.exe
Signature Version: AV: 1.327.1095.0, AS: 1.327.1095.0, NIS: 1.327.1095.0
Engine Version: AM: 1.1.17600.5, NIS: 1.1.17600.5

 

Again, it's your business so it's your decision on what or how you run your computer but my 30 year career in supporting Enterprise Business we've never allowed servers to be treated like they were desktops.

 

 

My advice would be to disable ALL of the security products except one at a time. Then for each of them make sure they're up to date and do a Full system scan while the others security software is disabled. See if any of them can detect anything or not and let me know.

Thanks

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

  • Root Admin

Please see the following for additional information on WMI abuses.

An intro into abusing and identifying WMI Event Subscriptions for persistence
https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/

WMI for Detection and Response
https://www.hsdl.org/?view&did=795007

Windows Management Instrumentation (WMI) Guide: Understanding WMI Attacks
https://www.varonis.com/blog/wmi-windows-management-instrumentation/

Event Triggered Execution: Windows Management Instrumentation Event Subscription
https://attack.mitre.org/techniques/T1546/003/

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

Hello @AdvancedSetup,

Thanks for your advice. I am just using chrome to download Sophos and Malwarebytes. I have blocked all outbound and inbound connection to server except connection to Sophos and Malwarebytes server for updating. I also downloaded the Autoruns file from Microsoft site. Vietsoft is my company user.

I dont know the batch file 123.bat. It is not exist in this path: c:\windows\system32\wbem\123.bat. Once reboot server, the CMD showed that this file is not found and worms came back.

Thanks!

Link to post
Share on other sites

7 minutes ago, AdvancedSetup said:

Can you please post back the most recent scan log showing the detection and removal so that I can submit it to our Research Team. I'm told this should be removed so they want to check the log.

Thanks @DNK

 

I dont understand what your mean?Post back the log that I sent you before?

Link to post
Share on other sites

  • Root Admin

Those were FRST scan logs.

I would like to get a copy of the Malwarebytes Threat Scan log. You said you ran Malwarebytes and scanned and removed but it came back. I'd like to see that report please.

Click the little bullseye in the top center of the program. Then Reports. Can export or copy from there.

 

Link to post
Share on other sites

  • Root Admin

Please open Regedit and browse to this key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings

Then locate the active user accounts of each and it will list all the current apps that have run as well as the time they've run.

The Registry key uses the: Windows 64bit Hex (Little Endian) TimeStamp

Then, you can also review your Scheduled Tasks to see if something unexpected is there running.

You can type the following, or copy/paste it into an elevated Admin command prompt and it will list all your scheduled tasks. Then save the file and review it for anything out of the ordinary.
Or you can manually go through all the scheduled tasks via the Task Scheduler GUI

SCHTASKS /Query /fo table /v > 0 && notepad 0 | ECHO >NUL  & DEL 0 

 

Link to post
Share on other sites

  • Root Admin

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here.
  • Save Autoruns.exe to your desktop and double-click it to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures and Check VirusTotal.com and Submit Unknown Images
  • Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
  • When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder you just created to your next reply

 

image.png

 

Thanks

 

Link to post
Share on other sites

  • Root Admin

Is it possible that Sophos is the one either actually preventing the WMI removal, or uses a feature that puts back the entry as an unauthorized removal?

I'm not seeing anything to account for restoring the bad entries and I assume you've done full scans with all of the security products and them not finding anything either.

 

 

Link to post
Share on other sites

  • Root Admin

Might be legit but strange name for a Task on a Server

VM-01            XblGameSaveTask                          N/A                    Ready           Interactive/Background  11/18/2020 10:59:51 AM            0 Microsoft        %windir%\System32\XblGameSaveTask.exe standby      N/A                                      XblGameSave Standby Task                                                         Enabled                Only Start If Idle for  minutes, If Not  No Start On Batteries                            SYSTEM                                   Disabled                       02:00:00                                 Scheduling data is not available in this format.                                 At idle time                 N/A          N/A        N/A        N/A                                         N/A                                         N/A                      N/A                  N/A                            N/A                                
VM-01            XblGameSaveTaskLogon                     N/A                    Ready           Interactive/Background  11/18/2020 1:38:27 PM             0 Microsoft        %windir%\System32\XblGameSaveTask.exe logon        N/A                                      XblGameSave Logon Task                                                           Enabled                Only Start If Idle for  minutes, If Not  No Start On Batteries                            SYSTEM                                   Disabled                       02:00:00                                 Scheduling data is not available in this format.                                 At logon time                N/A          N/A        N/A        N/A                                         N/A                                         N/A                      N/A                  N/A                            N/A                                

 

 

Go through that list and double-check all Tasks are actually running what they're supposed to be running. A bad/bogus name could look legit but run an unwanted script.

I didn't see any that stood out right away, but best to double-check

So far I'm not seeing anything to account for the WMI entries returning. No malware found, no bogus startup entries, etc. Why I'm asking about Sophos to see if possibly it's simply trying to do it's job and puts those entries back?

 

You could also try deleting ALL temp files, but since you run SQL you'd have to find and exclude those from deletion as that could affect the running of SQL

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.