Solved

Backdoor.Win32.Ulrbot Virus

Posted on 2011-02-28
9
402 Views
Last Modified: 2012-05-11
Our AV software has detected an infection of Backdoor.Win32.Ulrbot on one of our terminal servers during a full scan.  My colleague thinks this is a false positive because the file is not being picked up by real time scanning.  I disagree and think this is an infection.

Here is my reasoning why I think this is an infection:
The DLL is an unknown DLL (x32ihrv.dll)
Using Process Explorer, I found explorer.exe is calling this DLL, but no information is available about the DLL (ie. Description, Version, Company Name)
I was able to rename this DLL from x32.ihdrv.dll to x32ihdrv.dll.old on the fly, when it was in use by explorer.exe.  Process Explorer just displayed the file extension change and when about it's business
Trend Micro even states this is a DLL component (http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=BKDR_URLBOT.A)

We are using Kaspersky Anti Virus as our AV software.  Could someone provide additional information on our debate?  Attached is a screenshot of Process Explorer Process Explorer
0
Comment
Question by:Kram80
9 Comments
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 50 total points
ID: 35002199
I would recommened to upload the DLL to the online virus scanner site listed below, if the file is a threat it would be reported on the website

http://virusscan.jotti.org/en

http://www.virustotal.com/

http://www.threatexpert.com/submit.aspx

If not, it could be remains of the main virus which is somehow be left behind, since you are able to rename it on the fly most likely is not that threating but we could not rule out that it is harmless just because you are able to rename it.
 
I would also recommend you to scan the system with HitManpro once if possible.

32bit
http://dl.surfright.nl/HitmanPro35.exe
http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html

64bit
http://dl.surfright.nl/HitmanPro35_x64.exe

I hope that would help

Sudeep
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 125 total points
ID: 35002243
It is malware which can replicate itself (worm):

http://www.threatexpert.com/report.aspx?md5=7afe5fab3905b8c7ffbe5ec272db06aa

There are several variants of this malware and it randomizes its file names.  It has a built in SMTP server and a backdoor.  I would strong suggest isolating your TS server and cleaning it immediately.  I would not allow that machine on my network until I verified the removal of the malware.

DrUltima
0
 
LVL 3

Accepted Solution

by:
goldeneagle3333 earned 125 total points
ID: 35002349
I agree with DrUltima.  If you have any information that is critical, private, etc isolate and clean the terminal server.  

If you have a normal process of removing malware I would complete those steps.

Myself I would start with this:
In safe mode-
1) Vipre Rescue - http://vipre.malwarebytes.org/ 
2) Malware Bytes - Can also be obtained from the link above
3) Run Vipre again followed by malwarebytes.
4) CCleaner

Restart and run your normal AV again.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:Kram80
ID: 35002465
Thank you all for your input....very helpful.  I didn't know about the built-in SMTP server.  I'm going to begin the cleaning process.  I have not used Vipre before, but will take a look at it.  Easy to use?
0
 

Author Comment

by:Kram80
ID: 35002508
Read the Vipre instructions...looks fairly simple.
0
 

Author Comment

by:Kram80
ID: 35008338
Infection cleaned.  Thanks again.  Vipre really worked good.

DrUltima, how did you find all that information?  When I search for the threat on ThreatExpert it displays many related threats, but not even the one you found.  Can you give me additional information for future reference?
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35008603
I Googled "Backdoor.Win32.Ulrbot".  It is the second hit.

No great trade secret or super technical technique.  Just luck of the click.

DrUltima
0
 

Author Comment

by:Kram80
ID: 35008637
LOL....I'm a moron....thanks again for the help.  I'll award points.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35008723
Not at all (and thanks for the points).  When using the "big brain" for solutions, it is helpful about half the time.  The other half it will lead you on wonderful pig trails.  You have unlimited points.  Use them.  It is why we are here. :)

DrUltima
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question