• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1106
  • Last Modified:

Keylog-Ultimate.dll Virus on Windows Server 2008 R2 SP1

I am currently managing a SQL Server 2008 R2. I've installed programs such as McAfee Enterprise + AntiSpyware Enterprise 8.8, Kapersky TDSSKILLER and Malwarebytes 1.60.1.1000. These programs are scheduled to run/update everyday. In addition, we are using RDS w/ user CAL licensing which i hear is not secured, but we need it.

A few weeks ago, we encountered a type of malware called ransomware on our server and thought that I successfully removed it. Unfortunately that led to another issue, I noticed a Key logger program planted into my server that McAfee picked up. here is the log:

- D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe      C:\Windows\AppCompat\KAward\rsasws.exe      Keylog-AwardKey (Virus)
- C:\Windows\Explorer.EXE      E:\decrypterpv\dc.exe      Ransom-BA (Trojan)
- C:\Users\sys\Desktop\Setup.exe      C:\ProgramData\uklpr\KLKlMon.dll      Keylog-Ultimate.dll (Virus)


The software ran another scan last night and picked up:

- 3:04:49 AM      Deleted       administrator      ODS(Full Scan)      c:\Documents and Settings\sys\Desktop\Setup.exe\9.nsis      Keylog-Ultimate.dll (Virus)
- 3:04:59 AM      Delete failed (Clean failed)       administrator      ODS(Full Scan)      c:\Users\sys\Desktop\Setup.exe\9.nsis      Keylog-Ultimate.dll (Virus)
- 4/6/2012      3:05:08 AM      Deleted (Clean failed)       administrator      ODS(Full Scan)      c:\Documents and Settings\sys\Downloads\KRyLack.Ultimate.Keylogger.Pro.v1.80.45-alzaeem2008.rar\SETUP.EXE\9.nsis      Keylog-Ultimate.dll (Virus)
- 4/6/2012      3:05:18 AM      Delete failed (Clean failed)       administrator      ODS(Full Scan)      c:\Users\sys\Downloads\KRyLack.Ultimate.Keylogger.Pro.v1.80.45-alzaeem2008.rar\SETUP.EXE\9.nsis      Keylog-Ultimate.dll (Virus)


How do I prevent this? are they getting in my network through a backdoor? does RDS play a big role in this case? is there another level of security I can implement? I'll appreciate your help!
0
vlsllp
Asked:
vlsllp
2 Solutions
 
Grant1842Commented:
Please follow these instructions for removal.

http://www.uninstall-spyware.com/uninstallUltimateKeylogger.html
0
 
David Johnson, CD, MVPOwnerCommented:
Is there a business reason why users that rdp into the server have administrative (install) privileges? Have you considered remote app for programs that need administrator privileges?  How about turning on internet explorer security for non-admins? How can you or your company justify the security risk presented that allowed this to happen in the first place. In many environments once something is discovered as compromised then the entire server is rebuilt as it can no longer be trusted.  
Don't create the mess then you don't have to clean up a mess.. Unfortunately you have to treat users like preschool children you have to monitor, and protect them from themselves
0
 
vlsllpAuthor Commented:
ve3ofa, yes there are special reasons why we grant our users administrative privileges. Unfortunately we had to manually go into the folders and clean out key names that have "keyloggers" in them, in addition we removed this virus through the registry as well. The primary tools i used was Kapersky TDSSKILLER and Spybot. These 2 items assisted me in cleaning out unwanted items in our registry.

Would you recommend any other tools or best practices when monitoring RDS? IDS/IPS?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Russell_VenableCommented:
Yes, Actually. Assuming you already removed "Ransom" from your system.  It would do you some good to make note of 3 aspects for prevention and recovery reasons.

1. Keep a Website History


Keep a good track of sites that are visited from your network external from the operating system(Hardware). Not only does it help to keep track of what websites that caused the infection, but also allows you to report the infection and warn others.

2. Avoid untrusted Online Antivirus scanning

Do not allow users to do a online antivirus scan, unless tasked and if that is the case set guidelines for them to follow. Let me be specific; "Randsomware" in your case hides itself as a online antivirus scan and asks the user to install a activex/java file, sometimes even a video codec slightly different situation. This allows the site to start its malicious adventure onto the victim's machine. It's also spreads on a automated basis from "Drive-By" websites hosting a exploit kit.

3. Network traffic analyzer

Use a Network traffic analyzer to monitor for abnormal traffic patterns.
When you ask for more tools are you referring to monitoring or removal?

Other then that I would just implement a user guideline system in the first place that teaches them how to avoid this in the first place.

References to read:
Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring
0
 
David Johnson, CD, MVPOwnerCommented:
ve3ofa, yes there are special reasons why we grant our users administrative privileges.

Then BACKUP, BACKUP, BACKUP,

7 Daily's, 4 weekly, 12 monthly, and 7 years annual.
0
 
vlsllpAuthor Commented:
thanks
0
 
vlsllpAuthor Commented:
Thanks I will try that!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now