Solved

Backdoor.Win32.Ulrbot Virus

Posted on 2011-02-28
9
404 Views
Last Modified: 2012-05-11
Our AV software has detected an infection of Backdoor.Win32.Ulrbot on one of our terminal servers during a full scan.  My colleague thinks this is a false positive because the file is not being picked up by real time scanning.  I disagree and think this is an infection.

Here is my reasoning why I think this is an infection:
The DLL is an unknown DLL (x32ihrv.dll)
Using Process Explorer, I found explorer.exe is calling this DLL, but no information is available about the DLL (ie. Description, Version, Company Name)
I was able to rename this DLL from x32.ihdrv.dll to x32ihdrv.dll.old on the fly, when it was in use by explorer.exe.  Process Explorer just displayed the file extension change and when about it's business
Trend Micro even states this is a DLL component (http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=BKDR_URLBOT.A)

We are using Kaspersky Anti Virus as our AV software.  Could someone provide additional information on our debate?  Attached is a screenshot of Process Explorer Process Explorer
0
Comment
Question by:Kram80
9 Comments
 
LVL 30

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 50 total points
ID: 35002199
I would recommened to upload the DLL to the online virus scanner site listed below, if the file is a threat it would be reported on the website

http://virusscan.jotti.org/en

http://www.virustotal.com/

http://www.threatexpert.com/submit.aspx

If not, it could be remains of the main virus which is somehow be left behind, since you are able to rename it on the fly most likely is not that threating but we could not rule out that it is harmless just because you are able to rename it.
 
I would also recommend you to scan the system with HitManpro once if possible.

32bit
http://dl.surfright.nl/HitmanPro35.exe
http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html

64bit
http://dl.surfright.nl/HitmanPro35_x64.exe

I hope that would help

Sudeep
0
 
LVL 31

Assisted Solution

by:Justin Owens
Justin Owens earned 125 total points
ID: 35002243
It is malware which can replicate itself (worm):

http://www.threatexpert.com/report.aspx?md5=7afe5fab3905b8c7ffbe5ec272db06aa

There are several variants of this malware and it randomizes its file names.  It has a built in SMTP server and a backdoor.  I would strong suggest isolating your TS server and cleaning it immediately.  I would not allow that machine on my network until I verified the removal of the malware.

DrUltima
0
 
LVL 3

Accepted Solution

by:
goldeneagle3333 earned 125 total points
ID: 35002349
I agree with DrUltima.  If you have any information that is critical, private, etc isolate and clean the terminal server.  

If you have a normal process of removing malware I would complete those steps.

Myself I would start with this:
In safe mode-
1) Vipre Rescue - http://vipre.malwarebytes.org/ 
2) Malware Bytes - Can also be obtained from the link above
3) Run Vipre again followed by malwarebytes.
4) CCleaner

Restart and run your normal AV again.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:Kram80
ID: 35002465
Thank you all for your input....very helpful.  I didn't know about the built-in SMTP server.  I'm going to begin the cleaning process.  I have not used Vipre before, but will take a look at it.  Easy to use?
0
 

Author Comment

by:Kram80
ID: 35002508
Read the Vipre instructions...looks fairly simple.
0
 

Author Comment

by:Kram80
ID: 35008338
Infection cleaned.  Thanks again.  Vipre really worked good.

DrUltima, how did you find all that information?  When I search for the threat on ThreatExpert it displays many related threats, but not even the one you found.  Can you give me additional information for future reference?
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35008603
I Googled "Backdoor.Win32.Ulrbot".  It is the second hit.

No great trade secret or super technical technique.  Just luck of the click.

DrUltima
0
 

Author Comment

by:Kram80
ID: 35008637
LOL....I'm a moron....thanks again for the help.  I'll award points.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 35008723
Not at all (and thanks for the points).  When using the "big brain" for solutions, it is helpful about half the time.  The other half it will lead you on wonderful pig trails.  You have unlimited points.  Use them.  It is why we are here. :)

DrUltima
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10 4 87
Upgrade Symantec EndPoint Protection 14 13 367
do i need anti virus software with windows 10? 13 97
How to get latest vulnerabilities advisories by email. 3 71
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Learn about cloud computing and its benefits for small business owners.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question