Solved

drsch.exe worm?

Posted on 2009-03-31
17
1,224 Views
Last Modified: 2013-11-22
Subject: new virus/worm: drsch.exe

we have the file drsch.exe appearing in our C:\windows\system32\drivers folder. It then spreads to other machines that aren't patched with ms08-067. It also drops the file i.ini onto the root of C: It appears to spread through the network via weak passwords, and appears to somehow accesses a list of accounts. It attempts to logon with these accounts, and failing, locks them out of active directory.

This seems to be the same creature. All google searches indicate this thing begin around the 27th:

http://translate.google.com/translate?hl=en&sl=es&u=http://www.hispasonic.com/comunidad/virus-desconocido-drsch-exe-t254794.html&ei=0W3SScHMAs3HtgeE3_HpBg&sa=X&oi=translate&resnum=6&ct=result&prev=/search%3Fq%3Ddrsch.exe%26hl%3Den%26safe%3Doff%26sa%3DN

Anyone seen this before/yet or can anyone point me to a link where Symantec or Trend or someone have a description of it?

Also, Symantec Endpoint network control alerts to the presence of this virus with the following:

MS RPC DDE BO detected

thanks
0
Comment
Question by:shattuck007
  • 4
  • 3
  • 3
  • +5
17 Comments
 
LVL 15

Accepted Solution

by:
xmachine earned 100 total points
ID: 24032751
Hi,

This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1)  Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm

2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)
 

A Symantec Certified Specialist @ your service


@echo off

color 0A

ECHO. ***********************************************************************************************

ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All 

ECHO.                                Multi OS W32.Downadup Cleaner v2.0

ECHO. ***********************************************************************************************

 

 

ver | find "2003" > nul

if %ERRORLEVEL% == 0 goto ver_2003

 

ver | find "XP" > nul

if %ERRORLEVEL% == 0 goto ver_xp

 

ver | find "2000" > nul

if %ERRORLEVEL% == 0 goto ver_2000

 

ver | find "Version 6.0.6000" > nul

if %ERRORLEVEL% == 0 goto ver_vista-sp0

 

ver | find "Version 6.0.6001" > nul

if %ERRORLEVEL% == 0 goto ver_vista-sp1

 

 

goto exit

 

:ver_2003

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Enabling Windows Error Reporting Service (ERSvc) ...

sc config ERSvc start= auto

echo Starting Windows Error Reporting ...

net start ERSvc

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

REM echo Removing all AT created scheduled tasks ...

REM AT /Delete /Yes

REM echo Stopping & Disabling Schedule service...

REM sc.exe stop schedule

REM sc.exe config schedule start= disabled

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit

 

:ver_xp

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Error Reporting Service (ERSvc) ...

sc config ERSvc start= auto

echo Starting Windows Error Reporting ...

net start ERSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

sc.exe config schedule start= disabled

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit

 

:ver_2000

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit

 

:ver_vista-sp0

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "wuauserv"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Defender Service (WinDefend) ...

sc config WinDefend start= auto

echo Starting Windows Defender ...

net start WinDefend

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Restoring Windows Defender startup key ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f

echo Enabling TCP Receive Window Auto-tuning ...

netsh interface tcp set global autotuning=normal

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart

echo Rebooting System ...  

shutdown /r /f /c "Rebooting system"

goto exit

 

:ver_vista-sp1

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Defender Service (WinDefend) ...

sc config WinDefend start= auto

echo Starting Windows Defender ...

net start WinDefend

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Restoring Windows Defender startup key ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f

echo Enabling TCP Receive Window Auto-tuning ...

netsh interface tcp set global autotuning=normal

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart

echo Rebooting System ...  

shutdown /r /f /c "Rebooting system"

goto exit

 

:exit

Open in new window

0
 

Author Comment

by:shattuck007
ID: 24032873
so you're sure this one is conficker? I've read up on conficker here:
 http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2
... and the writeup there doesn't include any of the same symptoms we're experiencing (other than the vulnerability it exploits).
These are sort of "honeypot" machines we have left open, and when they got hit, we started to observe and record what was going on ... so I'm not so much worried about cleaning up as I am finding out what exactly the problem is.
However, I really appreciate your post and will keep the information handy!!!!
thanks!
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24032937
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24032957
Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm
0
 

Author Comment

by:shattuck007
ID: 24033073
1) I read that yesterday after googling the endpoint message. Network DDE is disabled on all of our machines.
2) the domain password policy is already complex. Also, if someone attempts to login more than 6 times with a good username, the account is locked out. That's what's happenening to accounts on the domain of the infected machines (actually, on accounts on domains reachable from the affected machine).
thanks!
 
0
 
LVL 23

Assisted Solution

by:Mohammed Hamada
Mohammed Hamada earned 100 total points
ID: 24033376
Supposedly your domain has got infected as well .. you must do a full scan to your DC.
If your antivirus didn't find any infection or was unable to clean, you may want to try doing so manually by following this article...

http://www.prevx.com/filenames/3557457713785644397-X1/DRSCH2EEXE.html
Deleting files/ changing registry may result in a serious damage to your DC, make sure you create a tape before doing anything..


0
 
LVL 47

Assisted Solution

by:dstewartjr
dstewartjr earned 100 total points
ID: 24033499
0
 
LVL 6

Expert Comment

by:mayank_chaudhary
ID: 24038219
Use OTmoveIT2 tool. It will help to remove the worm

Google for the tool and download
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 16

Expert Comment

by:warturtle
ID: 24038327
Another useful thing to do is to find out how many users in your company have priveleges to be able to install software can can effectively run as a Windows service? All those are sure targets for the worm.
0
 

Author Comment

by:shattuck007
ID: 24038824
guys, guys ... I think I miscommunicated the intent of my request, and that was to find out if anyone else had this same issue, which I don't think is the same as downadup or conficker, as the symptoms don't appear to be the same. Every technical article I have read from Symantec or anywhere else doesn't mention our specific issue, and does mention symptoms, registry keys, and files that we don't have. Also I am somewhat certain have removed whatever we did get hit with, so I am good there.
Maybe I am wrong. Maybe we did get hit with conficker/downadup or some variant, but none of my updated AV clients pick it up as such when scanning the machines.
thanks for the attempts at help though!!!
0
 
LVL 16

Assisted Solution

by:warturtle
warturtle earned 100 total points
ID: 24052750
Hello,

I would suggest that you boot a PC in 'Safe mode with Networking' and then do an online Kaspersky antivirus scan. It has the highest scan rates of any antivirus. Its available at:

http://www.kaspersky.co.uk/virusscanner

Please let us know, what you find.
0
 
LVL 34

Assisted Solution

by:Michael-Best
Michael-Best earned 100 total points
ID: 24460961
Did you try:
Microsoft's FREE COMPUTER REPAIR/Virus Check
http://onecare.live.com/site/en-us/default.htm
And run the: "FULL SERVICE SCAN" it will cleanup & speedup your computer, if it won't run then:
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
http://support.microsoft.com/kb/962007
If on a network, I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
(http://technet.microsoft.com/en-us/library/cc781491.aspx)
Also see:
Bit Defender:
http://anti-virus-software-review.toptenreviews.com/
This is  free:
http://www.pctools.com/free-antivirus/
(Regards from Michael Best: a Kiwi in Tokyo: I troubleshoot & repair: both, English OS & Japanese OS)
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 24470996
Any chance of giving shattuck007 a few more days to try:
05/24/09 05:50 PM, ID: 24460961
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 24471039
Last time he was active here was on 3rd of April 2009, but that's not me to decide...

Tolomir
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24471465
Lets give him 2 days to respond back. He must be getting emails about our conversations and should respond hopefully within that time.
0
 

Author Closing Comment

by:shattuck007
ID: 31565025
I split the points amongst 5 suggestions.

thanks
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now