Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 416
  • Last Modified:

Backdoor.Win32.Ulrbot Virus

Our AV software has detected an infection of Backdoor.Win32.Ulrbot on one of our terminal servers during a full scan.  My colleague thinks this is a false positive because the file is not being picked up by real time scanning.  I disagree and think this is an infection.

Here is my reasoning why I think this is an infection:
The DLL is an unknown DLL (x32ihrv.dll)
Using Process Explorer, I found explorer.exe is calling this DLL, but no information is available about the DLL (ie. Description, Version, Company Name)
I was able to rename this DLL from x32.ihdrv.dll to x32ihdrv.dll.old on the fly, when it was in use by explorer.exe.  Process Explorer just displayed the file extension change and when about it's business
Trend Micro even states this is a DLL component (http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=BKDR_URLBOT.A)

We are using Kaspersky Anti Virus as our AV software.  Could someone provide additional information on our debate?  Attached is a screenshot of Process Explorer Process Explorer
0
Kram80
Asked:
Kram80
3 Solutions
 
Sudeep SharmaTechnical DesignerCommented:
I would recommened to upload the DLL to the online virus scanner site listed below, if the file is a threat it would be reported on the website

http://virusscan.jotti.org/en

http://www.virustotal.com/

http://www.threatexpert.com/submit.aspx

If not, it could be remains of the main virus which is somehow be left behind, since you are able to rename it on the fly most likely is not that threating but we could not rule out that it is harmless just because you are able to rename it.
 
I would also recommend you to scan the system with HitManpro once if possible.

32bit
http://dl.surfright.nl/HitmanPro35.exe
http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html

64bit
http://dl.surfright.nl/HitmanPro35_x64.exe

I hope that would help

Sudeep
0
 
Justin OwensITIL Problem ManagerCommented:
It is malware which can replicate itself (worm):

http://www.threatexpert.com/report.aspx?md5=7afe5fab3905b8c7ffbe5ec272db06aa

There are several variants of this malware and it randomizes its file names.  It has a built in SMTP server and a backdoor.  I would strong suggest isolating your TS server and cleaning it immediately.  I would not allow that machine on my network until I verified the removal of the malware.

DrUltima
0
 
goldeneagle3333Commented:
I agree with DrUltima.  If you have any information that is critical, private, etc isolate and clean the terminal server.  

If you have a normal process of removing malware I would complete those steps.

Myself I would start with this:
In safe mode-
1) Vipre Rescue - http://vipre.malwarebytes.org/ 
2) Malware Bytes - Can also be obtained from the link above
3) Run Vipre again followed by malwarebytes.
4) CCleaner

Restart and run your normal AV again.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Kram80Author Commented:
Thank you all for your input....very helpful.  I didn't know about the built-in SMTP server.  I'm going to begin the cleaning process.  I have not used Vipre before, but will take a look at it.  Easy to use?
0
 
Kram80Author Commented:
Read the Vipre instructions...looks fairly simple.
0
 
Kram80Author Commented:
Infection cleaned.  Thanks again.  Vipre really worked good.

DrUltima, how did you find all that information?  When I search for the threat on ThreatExpert it displays many related threats, but not even the one you found.  Can you give me additional information for future reference?
0
 
Justin OwensITIL Problem ManagerCommented:
I Googled "Backdoor.Win32.Ulrbot".  It is the second hit.

No great trade secret or super technical technique.  Just luck of the click.

DrUltima
0
 
Kram80Author Commented:
LOL....I'm a moron....thanks again for the help.  I'll award points.
0
 
Justin OwensITIL Problem ManagerCommented:
Not at all (and thanks for the points).  When using the "big brain" for solutions, it is helpful about half the time.  The other half it will lead you on wonderful pig trails.  You have unlimited points.  Use them.  It is why we are here. :)

DrUltima
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now