Solved

Backdoor.Win32.Ulrbot Virus

Posted on 2011-02-28
9
407 Views
Last Modified: 2012-05-11
Our AV software has detected an infection of Backdoor.Win32.Ulrbot on one of our terminal servers during a full scan.  My colleague thinks this is a false positive because the file is not being picked up by real time scanning.  I disagree and think this is an infection.

Here is my reasoning why I think this is an infection:
The DLL is an unknown DLL (x32ihrv.dll)
Using Process Explorer, I found explorer.exe is calling this DLL, but no information is available about the DLL (ie. Description, Version, Company Name)
I was able to rename this DLL from x32.ihdrv.dll to x32ihdrv.dll.old on the fly, when it was in use by explorer.exe.  Process Explorer just displayed the file extension change and when about it's business
Trend Micro even states this is a DLL component (http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=BKDR_URLBOT.A)

We are using Kaspersky Anti Virus as our AV software.  Could someone provide additional information on our debate?  Attached is a screenshot of Process Explorer Process Explorer
0
Comment
Question by:Kram80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 30

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 50 total points
ID: 35002199
I would recommened to upload the DLL to the online virus scanner site listed below, if the file is a threat it would be reported on the website

http://virusscan.jotti.org/en

http://www.virustotal.com/

http://www.threatexpert.com/submit.aspx

If not, it could be remains of the main virus which is somehow be left behind, since you are able to rename it on the fly most likely is not that threating but we could not rule out that it is harmless just because you are able to rename it.
 
I would also recommend you to scan the system with HitManpro once if possible.

32bit
http://dl.surfright.nl/HitmanPro35.exe
http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html

64bit
http://dl.surfright.nl/HitmanPro35_x64.exe

I hope that would help

Sudeep
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 125 total points
ID: 35002243
It is malware which can replicate itself (worm):

http://www.threatexpert.com/report.aspx?md5=7afe5fab3905b8c7ffbe5ec272db06aa

There are several variants of this malware and it randomizes its file names.  It has a built in SMTP server and a backdoor.  I would strong suggest isolating your TS server and cleaning it immediately.  I would not allow that machine on my network until I verified the removal of the malware.

DrUltima
0
 
LVL 3

Accepted Solution

by:
goldeneagle3333 earned 125 total points
ID: 35002349
I agree with DrUltima.  If you have any information that is critical, private, etc isolate and clean the terminal server.  

If you have a normal process of removing malware I would complete those steps.

Myself I would start with this:
In safe mode-
1) Vipre Rescue - http://vipre.malwarebytes.org/ 
2) Malware Bytes - Can also be obtained from the link above
3) Run Vipre again followed by malwarebytes.
4) CCleaner

Restart and run your normal AV again.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:Kram80
ID: 35002465
Thank you all for your input....very helpful.  I didn't know about the built-in SMTP server.  I'm going to begin the cleaning process.  I have not used Vipre before, but will take a look at it.  Easy to use?
0
 

Author Comment

by:Kram80
ID: 35002508
Read the Vipre instructions...looks fairly simple.
0
 

Author Comment

by:Kram80
ID: 35008338
Infection cleaned.  Thanks again.  Vipre really worked good.

DrUltima, how did you find all that information?  When I search for the threat on ThreatExpert it displays many related threats, but not even the one you found.  Can you give me additional information for future reference?
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35008603
I Googled "Backdoor.Win32.Ulrbot".  It is the second hit.

No great trade secret or super technical technique.  Just luck of the click.

DrUltima
0
 

Author Comment

by:Kram80
ID: 35008637
LOL....I'm a moron....thanks again for the help.  I'll award points.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35008723
Not at all (and thanks for the points).  When using the "big brain" for solutions, it is helpful about half the time.  The other half it will lead you on wonderful pig trails.  You have unlimited points.  Use them.  It is why we are here. :)

DrUltima
0

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question