Solved

drsch.exe worm?

Posted on 2009-03-31
17
1,245 Views
Last Modified: 2013-11-22
Subject: new virus/worm: drsch.exe

we have the file drsch.exe appearing in our C:\windows\system32\drivers folder. It then spreads to other machines that aren't patched with ms08-067. It also drops the file i.ini onto the root of C: It appears to spread through the network via weak passwords, and appears to somehow accesses a list of accounts. It attempts to logon with these accounts, and failing, locks them out of active directory.

This seems to be the same creature. All google searches indicate this thing begin around the 27th:

http://translate.google.com/translate?hl=en&sl=es&u=http://www.hispasonic.com/comunidad/virus-desconocido-drsch-exe-t254794.html&ei=0W3SScHMAs3HtgeE3_HpBg&sa=X&oi=translate&resnum=6&ct=result&prev=/search%3Fq%3Ddrsch.exe%26hl%3Den%26safe%3Doff%26sa%3DN

Anyone seen this before/yet or can anyone point me to a link where Symantec or Trend or someone have a description of it?

Also, Symantec Endpoint network control alerts to the presence of this virus with the following:

MS RPC DDE BO detected

thanks
0
Comment
Question by:shattuck007
  • 4
  • 3
  • 3
  • +5
17 Comments
 
LVL 15

Accepted Solution

by:
xmachine earned 100 total points
ID: 24032751
Hi,

This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE 

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe 

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe 

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu 

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1)  Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm

2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)
 

A Symantec Certified Specialist @ your service


@echo off
color 0A
ECHO. ***********************************************************************************************
ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All 
ECHO.                                Multi OS W32.Downadup Cleaner v2.0
ECHO. ***********************************************************************************************
 
 
ver | find "2003" > nul
if %ERRORLEVEL% == 0 goto ver_2003
 
ver | find "XP" > nul
if %ERRORLEVEL% == 0 goto ver_xp
 
ver | find "2000" > nul
if %ERRORLEVEL% == 0 goto ver_2000
 
ver | find "Version 6.0.6000" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp0
 
ver | find "Version 6.0.6001" > nul
if %ERRORLEVEL% == 0 goto ver_vista-sp1
 
 
goto exit
 
:ver_2003
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
REM echo Removing all AT created scheduled tasks ...
REM AT /Delete /Yes
REM echo Stopping & Disabling Schedule service...
REM sc.exe stop schedule
REM sc.exe config schedule start= disabled
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System ...  
shutdown -r -f -c "Rebooting system"
goto exit
 
:ver_xp
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Error Reporting Service (ERSvc) ...
sc config ERSvc start= auto
echo Starting Windows Error Reporting ...
net start ERSvc
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Stopping & Disabling Schedule service...
sc.exe stop schedule
sc.exe config schedule start= disabled
echo Disabling "AutoPlay" ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart
echo Rebooting System ...  
shutdown -r -f -c "Rebooting system"
goto exit
 
:ver_2000
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart
echo Rebooting System ...  
shutdown -r -f -c "Rebooting system"
goto exit
 
:ver_vista-sp0
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "wuauserv"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Stopping & Disabling Schedule service...
sc.exe stop schedule
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f
echo Disabling "AutoPlay" ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
echo Restoring Windows Defender startup key ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f
echo Enabling TCP Receive Window Auto-tuning ...
netsh interface tcp set global autotuning=normal
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System ...  
shutdown /r /f /c "Rebooting system"
goto exit
 
:ver_vista-sp1
echo Enabling BITs ...
sc config bits start= auto
echo Starting BITs ...
net start "Background Intelligent Transfer Service"
echo Enabling Automatic Updates ...
sc config Wuauserv start= auto
echo Starting Automatic Updates ...
net start "Windows Automatic Update Service"
echo Checking MS WSUS for any missing updates ... 
wuauclt.exe /detectnow
echo Enabling Windows Security Center Service (wscsvc) ...
sc config wscsvc start= auto
echo Starting Windows Security Center ...
net start wscsvc
echo Enabling Windows Defender Service (WinDefend) ...
sc config WinDefend start= auto
echo Starting Windows Defender ...
net start WinDefend
echo Enabling Windows Error Reporting Service (WerSvc) ...
sc config WerSvc start= auto
echo Starting Windows Error Reporting ...
net start WerSvc
echo Removing all AT created scheduled tasks ...
AT /Delete /Yes
echo Stopping & Disabling Schedule service...
sc.exe stop schedule
reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f
echo Disabling "AutoPlay" ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f
echo Restoring Windows Defender startup key ...
reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f
echo Enabling TCP Receive Window Auto-tuning ...
netsh interface tcp set global autotuning=normal
echo Fixing Downadup infection (Silent mode - Check log file in C:\)...
\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt
copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt
echo Patching MS08-067 ...
\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart
echo Rebooting System ...  
shutdown /r /f /c "Rebooting system"
goto exit
 
:exit

Open in new window

0
 

Author Comment

by:shattuck007
ID: 24032873
so you're sure this one is conficker? I've read up on conficker here:
 http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2
... and the writeup there doesn't include any of the same symptoms we're experiencing (other than the vulnerability it exploits).
These are sort of "honeypot" machines we have left open, and when they got hit, we started to observe and record what was going on ... so I'm not so much worried about cleaning up as I am finding out what exactly the problem is.
However, I really appreciate your post and will keep the information handy!!!!
thanks!
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24032937
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 15

Expert Comment

by:xmachine
ID: 24032957
Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm
0
 

Author Comment

by:shattuck007
ID: 24033073
1) I read that yesterday after googling the endpoint message. Network DDE is disabled on all of our machines.
2) the domain password policy is already complex. Also, if someone attempts to login more than 6 times with a good username, the account is locked out. That's what's happenening to accounts on the domain of the infected machines (actually, on accounts on domains reachable from the affected machine).
thanks!
 
0
 
LVL 24

Assisted Solution

by:Mohammed Hamada
Mohammed Hamada earned 100 total points
ID: 24033376
Supposedly your domain has got infected as well .. you must do a full scan to your DC.
If your antivirus didn't find any infection or was unable to clean, you may want to try doing so manually by following this article...

http://www.prevx.com/filenames/3557457713785644397-X1/DRSCH2EEXE.html
Deleting files/ changing registry may result in a serious damage to your DC, make sure you create a tape before doing anything..


0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 100 total points
ID: 24033499
0
 
LVL 6

Expert Comment

by:mayank_chaudhary
ID: 24038219
Use OTmoveIT2 tool. It will help to remove the worm

Google for the tool and download
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24038327
Another useful thing to do is to find out how many users in your company have priveleges to be able to install software can can effectively run as a Windows service? All those are sure targets for the worm.
0
 

Author Comment

by:shattuck007
ID: 24038824
guys, guys ... I think I miscommunicated the intent of my request, and that was to find out if anyone else had this same issue, which I don't think is the same as downadup or conficker, as the symptoms don't appear to be the same. Every technical article I have read from Symantec or anywhere else doesn't mention our specific issue, and does mention symptoms, registry keys, and files that we don't have. Also I am somewhat certain have removed whatever we did get hit with, so I am good there.
Maybe I am wrong. Maybe we did get hit with conficker/downadup or some variant, but none of my updated AV clients pick it up as such when scanning the machines.
thanks for the attempts at help though!!!
0
 
LVL 16

Assisted Solution

by:warturtle
warturtle earned 100 total points
ID: 24052750
Hello,

I would suggest that you boot a PC in 'Safe mode with Networking' and then do an online Kaspersky antivirus scan. It has the highest scan rates of any antivirus. Its available at:

http://www.kaspersky.co.uk/virusscanner

Please let us know, what you find.
0
 
LVL 34

Assisted Solution

by:Michael-Best
Michael-Best earned 100 total points
ID: 24460961
Did you try:
Microsoft's FREE COMPUTER REPAIR/Virus Check
http://onecare.live.com/site/en-us/default.htm
And run the: "FULL SERVICE SCAN" it will cleanup & speedup your computer, if it won't run then:
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
http://support.microsoft.com/kb/962007
If on a network, I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
(http://technet.microsoft.com/en-us/library/cc781491.aspx)
Also see:
Bit Defender:
http://anti-virus-software-review.toptenreviews.com/
This is  free:
http://www.pctools.com/free-antivirus/
(Regards from Michael Best: a Kiwi in Tokyo: I troubleshoot & repair: both, English OS & Japanese OS)
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 24470996
Any chance of giving shattuck007 a few more days to try:
05/24/09 05:50 PM, ID: 24460961
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 24471039
Last time he was active here was on 3rd of April 2009, but that's not me to decide...

Tolomir
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24471465
Lets give him 2 days to respond back. He must be getting emails about our conversations and should respond hopefully within that time.
0
 

Author Closing Comment

by:shattuck007
ID: 31565025
I split the points amongst 5 suggestions.

thanks
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Thin secure Windows 10 5 102
auto script to stop bitdefender to scan my external drives 6 68
Windows Password recovery 7 52
SCSM reports export 1 12
Read about achieving the basic levels of HRIS security in the workplace.
OfficeMate Freezes on login or does not load after login credentials are input.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question