Solved

Keylog-Ultimate.dll Virus on Windows Server 2008 R2 SP1

Posted on 2012-04-06
7
1,067 Views
Last Modified: 2013-11-22
I am currently managing a SQL Server 2008 R2. I've installed programs such as McAfee Enterprise + AntiSpyware Enterprise 8.8, Kapersky TDSSKILLER and Malwarebytes 1.60.1.1000. These programs are scheduled to run/update everyday. In addition, we are using RDS w/ user CAL licensing which i hear is not secured, but we need it.

A few weeks ago, we encountered a type of malware called ransomware on our server and thought that I successfully removed it. Unfortunately that led to another issue, I noticed a Key logger program planted into my server that McAfee picked up. here is the log:

- D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe      C:\Windows\AppCompat\KAward\rsasws.exe      Keylog-AwardKey (Virus)
- C:\Windows\Explorer.EXE      E:\decrypterpv\dc.exe      Ransom-BA (Trojan)
- C:\Users\sys\Desktop\Setup.exe      C:\ProgramData\uklpr\KLKlMon.dll      Keylog-Ultimate.dll (Virus)


The software ran another scan last night and picked up:

- 3:04:49 AM      Deleted       administrator      ODS(Full Scan)      c:\Documents and Settings\sys\Desktop\Setup.exe\9.nsis      Keylog-Ultimate.dll (Virus)
- 3:04:59 AM      Delete failed (Clean failed)       administrator      ODS(Full Scan)      c:\Users\sys\Desktop\Setup.exe\9.nsis      Keylog-Ultimate.dll (Virus)
- 4/6/2012      3:05:08 AM      Deleted (Clean failed)       administrator      ODS(Full Scan)      c:\Documents and Settings\sys\Downloads\KRyLack.Ultimate.Keylogger.Pro.v1.80.45-alzaeem2008.rar\SETUP.EXE\9.nsis      Keylog-Ultimate.dll (Virus)
- 4/6/2012      3:05:18 AM      Delete failed (Clean failed)       administrator      ODS(Full Scan)      c:\Users\sys\Downloads\KRyLack.Ultimate.Keylogger.Pro.v1.80.45-alzaeem2008.rar\SETUP.EXE\9.nsis      Keylog-Ultimate.dll (Virus)


How do I prevent this? are they getting in my network through a backdoor? does RDS play a big role in this case? is there another level of security I can implement? I'll appreciate your help!
0
Comment
Question by:vlsllp
7 Comments
 
LVL 12

Expert Comment

by:Grant1842
ID: 37817474
Please follow these instructions for removal.

http://www.uninstall-spyware.com/uninstallUltimateKeylogger.html
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 37820092
Is there a business reason why users that rdp into the server have administrative (install) privileges? Have you considered remote app for programs that need administrator privileges?  How about turning on internet explorer security for non-admins? How can you or your company justify the security risk presented that allowed this to happen in the first place. In many environments once something is discovered as compromised then the entire server is rebuilt as it can no longer be trusted.  
Don't create the mess then you don't have to clean up a mess.. Unfortunately you have to treat users like preschool children you have to monitor, and protect them from themselves
0
 

Assisted Solution

by:vlsllp
vlsllp earned 0 total points
ID: 37824081
ve3ofa, yes there are special reasons why we grant our users administrative privileges. Unfortunately we had to manually go into the folders and clean out key names that have "keyloggers" in them, in addition we removed this virus through the registry as well. The primary tools i used was Kapersky TDSSKILLER and Spybot. These 2 items assisted me in cleaning out unwanted items in our registry.

Would you recommend any other tools or best practices when monitoring RDS? IDS/IPS?
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
LVL 15

Accepted Solution

by:
Russell_Venable earned 500 total points
ID: 37845588
Yes, Actually. Assuming you already removed "Ransom" from your system.  It would do you some good to make note of 3 aspects for prevention and recovery reasons.

1. Keep a Website History


Keep a good track of sites that are visited from your network external from the operating system(Hardware). Not only does it help to keep track of what websites that caused the infection, but also allows you to report the infection and warn others.

2. Avoid untrusted Online Antivirus scanning

Do not allow users to do a online antivirus scan, unless tasked and if that is the case set guidelines for them to follow. Let me be specific; "Randsomware" in your case hides itself as a online antivirus scan and asks the user to install a activex/java file, sometimes even a video codec slightly different situation. This allows the site to start its malicious adventure onto the victim's machine. It's also spreads on a automated basis from "Drive-By" websites hosting a exploit kit.

3. Network traffic analyzer

Use a Network traffic analyzer to monitor for abnormal traffic patterns.
When you ask for more tools are you referring to monitoring or removal?

Other then that I would just implement a user guideline system in the first place that teaches them how to avoid this in the first place.

References to read:
Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 37846768
ve3ofa, yes there are special reasons why we grant our users administrative privileges.

Then BACKUP, BACKUP, BACKUP,

7 Daily's, 4 weekly, 12 monthly, and 7 years annual.
0
 

Author Comment

by:vlsllp
ID: 37852078
thanks
0
 

Author Closing Comment

by:vlsllp
ID: 37875054
Thanks I will try that!
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question