Investigate malware infection

Hi,

I would like to further investigate a malware infection found on one of our machines and was hoping for some advice on how to best to about doing further investigation... (if for nothing more than my own curiosity)

 It was picked up by Symantec as 'Suspicious.IRCBot' living in the 'C:\WINDOWS\Temp' folder running as the user 'SYSTEM' and lists a long (TMP00000FC136........) file name.

How best to:
- Determine what originally caused the infection, along with (ball park) date of infection.
- Determine if this file is associated with a particular process or service.
- Determine the IP/hostname of the (presumably) IRC server it is attempting to communicate with (if at all).
- Any other info that could be interesting regarding the source or background of the infection.

Coincidently:
All efforts thus far to remove the malware have failed:
Disabling system restore, boot in safe mode, disk clean up, delete all temp files, scan with malware bytes, scan with symantec, scan with mse... (removing it is not important, will just rebuild - but just giving background of infection)

Side notes regarding machine:
Windows XP Pro - Domained
No important info on the machine
Currently quarantined (disconnected) from company network whilst investigating

Thanks in advance!
Roger AdamsAsked:
Who is Participating?
 
Roger AdamsConnect With a Mentor Author Commented:
the TMP files were being created by the application ActivClient, from company the ActiveIDentity, which is part of the HP standard build applications. Symantec appears to be picking up TMP files linked to this software as a false positive...

After a complete rebuild using recovery media, Symantec immediately detected the same 'infection' as before.

Here is the solution for removing (the' un-uninstallable') ActivClient - which resolves Symantec flagging it up...
http://forums.techguy.org/all-other-software/781811-getting-rid-activclient-un-uninstallable.html

(btw I did submit the infected files to Symantec for review... surprise: no feedback yet)

Thanks for your help all...
0
 
tskelly082598Commented:
Check for email messages dated the same date. You can recover deleted messages from Outlook if necessary. Check eventvwr.msc for messages the same date.
0
 
tskelly082598Commented:
That is, date of the TMP000 files.
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
Roger AdamsAuthor Commented:
That makes sense, however I don't think thoseactual dates are relevant as the TMP000...... file keeps getting removed by the AV & 're-creating' itself... i.e. AV will scan, find the infected file & either quarantine or delete the file. But soon there will be a 'new' infected file with a slightly modified filename (still keeping close to TMP000xxxxxx)
0
 
tskelly082598Commented:
Maybe HIJACKTHIS can identify the malicious files, and then you may be identify a folder with a date and time stamp that those files have been created in.
0
 
tskelly082598Commented:
Download location for Hijackthis

http://free.antivirus.com/hijackthis/

Copy to a CD or thumb drive from another computer.
0
 
Roger AdamsAuthor Commented:
Cheers, will do that 1st thing tomorrow morning & update...
0
 
mchkorgCommented:
Hi,

Run "hijackthis"
Then upload your log to www.hijackthis.de to have the output analyzed
That'll maybe give you some directions

regards
0
 
Roger AdamsAuthor Commented:
because the virus seemed to be 'regenerating' itself what I did was run hijackthis as soon as the machine booted, then run the AV scan & as soon as it picked up the malware in the TEMP folder I ran hijackthis again - looking for anomalies etc...

Nothing looks too much out of place, see v1 and v2 of hijackthis log attached...
hijackthis-local-admin-v1.txt
hijackthis-local-admin-v2.txt
0
 
mchkorgCommented:
Just double-check C:\Program Files\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe and C:\Program Files\Hewlett-Packard\Embedded Security Software\ifxtcs.exe are really some part of an HP soft suite

And they recommend to delete some keys if you don't know the domain names:
HKLM\System\CCS\Services\Tcpip\Parameters: Domain = G3LAN.NET
HKLM\Software\..\Telephony: DomainName = G3LAN.NET
HKLM\System\CS1\Services\Tcpip\Parameters: Domain = G3LAN.NET

Did you try to run something like "spybot" (after you update its database)?
0
 
Roger AdamsAuthor Commented:
ifxspmgt.exe and ifxtcs.exe:
These appear to be legitimate elements of   HP Embedded Security (after some Googling)

Domain entries:
Those are known & okay.

Malware bytes:
Ran in safe mode - nothing found.

Spybot search & destroy:
Ran in safe mode - nothing found.

Symantec AV:
Ran in normal mode - finds threat as stated above. See attached image. Every time it finds a file in the TEMP folder it is quarantined, few minutes later a new file is present.

Infected File content:
I disabled the AV to allow me some time to look inside the infected file (for what it`s worth). See text file attached.

Symantex have a page on this particular type of threat:
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011822-4456-99
This  gives nothing interesting other than mentioning that is not picked up  using traditional signature checking, but monitors behaviour: "This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers."

This is looking more & more like a botnet infection rather than a traditional virus or trojan.

What I`m going to do next:
Connect the machine to a standalone internet connection.
Disable the AV to allow the Malware to execute what it likes.
Monitor all traffic with Wireshark & investigate all unknown IP address`s it attempts to communicate with. (see if it calls home to any c&c servers etc)

symantec-threat-found.PNG
TMP000022633029B9BAFA0E01DD.txt
0
 
Roger AdamsAuthor Commented:
just working through the contents of the infected file...
it bears references to a file called acregcrt.exe and company called ActivIDdentity...
Investigating that now...
0
 
Roger AdamsAuthor Commented:
Okay... seems the 'infected files' relate to the ActivClient from company ActiveIDentity, which is part of HP`s security suite.

Satisfied that curiosity for now, going to rebuild & see if the app is part of the standard build.
0
 
tskelly082598Connect With a Mentor Commented:
Here is another program similar to Hijackthis at the Microsoft site that might provide some more insight.

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
0
 
Roger AdamsAuthor Commented:
I managed to stumble onto that sysinternals tool earlier today whilst looks around, great tool! Thanks for the suggestion
0
 
tskelly082598Commented:
Have you identified what files are associated with re-loading the TMP*.* files?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.