Solved

Backdoor.Win32.Ulrbot Virus

Posted on 2011-02-28
9
401 Views
Last Modified: 2012-05-11
Our AV software has detected an infection of Backdoor.Win32.Ulrbot on one of our terminal servers during a full scan.  My colleague thinks this is a false positive because the file is not being picked up by real time scanning.  I disagree and think this is an infection.

Here is my reasoning why I think this is an infection:
The DLL is an unknown DLL (x32ihrv.dll)
Using Process Explorer, I found explorer.exe is calling this DLL, but no information is available about the DLL (ie. Description, Version, Company Name)
I was able to rename this DLL from x32.ihdrv.dll to x32ihdrv.dll.old on the fly, when it was in use by explorer.exe.  Process Explorer just displayed the file extension change and when about it's business
Trend Micro even states this is a DLL component (http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=BKDR_URLBOT.A)

We are using Kaspersky Anti Virus as our AV software.  Could someone provide additional information on our debate?  Attached is a screenshot of Process Explorer Process Explorer
0
Comment
Question by:Kram80
9 Comments
 
LVL 29

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 50 total points
ID: 35002199
I would recommened to upload the DLL to the online virus scanner site listed below, if the file is a threat it would be reported on the website

http://virusscan.jotti.org/en

http://www.virustotal.com/

http://www.threatexpert.com/submit.aspx

If not, it could be remains of the main virus which is somehow be left behind, since you are able to rename it on the fly most likely is not that threating but we could not rule out that it is harmless just because you are able to rename it.
 
I would also recommend you to scan the system with HitManpro once if possible.

32bit
http://dl.surfright.nl/HitmanPro35.exe
http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html

64bit
http://dl.surfright.nl/HitmanPro35_x64.exe

I hope that would help

Sudeep
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 125 total points
ID: 35002243
It is malware which can replicate itself (worm):

http://www.threatexpert.com/report.aspx?md5=7afe5fab3905b8c7ffbe5ec272db06aa

There are several variants of this malware and it randomizes its file names.  It has a built in SMTP server and a backdoor.  I would strong suggest isolating your TS server and cleaning it immediately.  I would not allow that machine on my network until I verified the removal of the malware.

DrUltima
0
 
LVL 3

Accepted Solution

by:
goldeneagle3333 earned 125 total points
ID: 35002349
I agree with DrUltima.  If you have any information that is critical, private, etc isolate and clean the terminal server.  

If you have a normal process of removing malware I would complete those steps.

Myself I would start with this:
In safe mode-
1) Vipre Rescue - http://vipre.malwarebytes.org/ 
2) Malware Bytes - Can also be obtained from the link above
3) Run Vipre again followed by malwarebytes.
4) CCleaner

Restart and run your normal AV again.
0
 

Author Comment

by:Kram80
ID: 35002465
Thank you all for your input....very helpful.  I didn't know about the built-in SMTP server.  I'm going to begin the cleaning process.  I have not used Vipre before, but will take a look at it.  Easy to use?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:Kram80
ID: 35002508
Read the Vipre instructions...looks fairly simple.
0
 

Author Comment

by:Kram80
ID: 35008338
Infection cleaned.  Thanks again.  Vipre really worked good.

DrUltima, how did you find all that information?  When I search for the threat on ThreatExpert it displays many related threats, but not even the one you found.  Can you give me additional information for future reference?
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35008603
I Googled "Backdoor.Win32.Ulrbot".  It is the second hit.

No great trade secret or super technical technique.  Just luck of the click.

DrUltima
0
 

Author Comment

by:Kram80
ID: 35008637
LOL....I'm a moron....thanks again for the help.  I'll award points.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35008723
Not at all (and thanks for the points).  When using the "big brain" for solutions, it is helpful about half the time.  The other half it will lead you on wonderful pig trails.  You have unlimited points.  Use them.  It is why we are here. :)

DrUltima
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now