Is this file a Virus/Trojan

I have discovered a file that some sites say is a Trojan.

Could this be related at all to the Cryptowall virus????


_6FEFF9B68218417F98F549.EXE
bankwestCTO/CashierAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

aadihCommented:
Definitely suspicious. It'd be hard to say if it's related to cryptowall virus or not.
0
dlb6597Commented:
do you also have this path? "C:\Program Files\absolute software\absolute reminder\"

It appears to be part of the above app that is pre-installed on some manufacturers PC's
0
bankwestCTO/CashierAuthor Commented:
No.....    I do not have that path that you reference above.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

aadihCommented:
If you remember when this file appeared, you could do a system restore to an earlier time.  The best way to system restore is to boot up in safe mode with command prompt and to type rstrui.exe to restore. It's worth a try.
0
dlb6597Commented:
it is possible the application could have been uninstalled, and the file you are concerned about was leftover...

This is the path where the file would be found if it was associated with absolute reminder.
Path:      C:\Windows\Installer\{40F4FF7A-B214-4453-B973-080B09CED019}\_6FEFF9B68218417F98F549.exe

More info here:

Here
0
bankwestCTO/CashierAuthor Commented:
We discovered the infection on 9-30 from files changed and modified on 9-29.

This is in a network environment so not a single PC to easily to a restore.      We do have backups to restore files, but I am trying to find out WHERE, WHO, HOW we got the Cryptowall virus so the file mentioned may not have anything to do with it but I am trying to investigate......

And for dlb6597...  No, There is nothing in the path for the Installer that you mentioned.
0
David Johnson, CD, MVPOwnerCommented:
The only real solution is to reimage everything from backups
You may want ot get the Cryptolocker Prevention Toolkit set of GPO's

http://www.thirdtier.net/downloads/CryptolockerWaystoaddExemptions.pdf
0
brendonfeeleyCommented:
Do you have the file somewhere where you could send it to me in an encrypted archive?

I'd be more than happy to take a quick look at it in IDA to confirm what it is for you.
0
bankwestCTO/CashierAuthor Commented:
If you will tell me how to send to you, I will be happy to.  I can put in a zip file.  Attach it here?

Email????
0
brendonfeeleyCommented:
Don't attach it here as it is probably malware. If you put it into a password protected zip file it will be encrypted and won't trigger anti-virus at any stage during sending.

If you message me, I'll give you my email address so you can send it over.
0
*** Hopeleonie ***IT ManagerCommented:
Or upload _6FEFF9B68218417F98F549.exe to https://www.virustotal.com
0
brendonfeeleyCommented:
Having looked at this in my analysis VM, this is definitely malware. Looks like a dropper. That is, it grabs further files for infection.

I found lots of information regarding the activity I observed by searching Google for the following:
ntvdm scs1 scs2

ntvdm is the process launched by the malware using the command line and scs1 and scs2 are created in the %TEMP% folder before being deleted.

The following links will be quite useful for your investigation:
https://www.virustotal.com/en/file/fce338990b1fd221cc5b3a76a455e191b31e610b477f2312d9d046e355f08424/analysis/
http://lavasoft.com/mylavasoft/malware-descriptions/blog/TrojanPSWWin32Zbot408fc130a6d

Specifically the Removal Instructions on the Lavasoft page.

Hope that helps.
0
*** Hopeleonie ***IT ManagerCommented:
@bankwest
Did you upload _6FEFF9B68218417F98F549.exe to https://www.virustotal.com

and post us the results.
0
bankwestCTO/CashierAuthor Commented:
From Virustotal:

SHA256: c4f9066fb57d067e02ccc2457ce48733d9a41e3f1918946bb89beb708da7be05
File name: _6FEFF9B68218417F98F549.exe
Detection ratio: 0 / 55  
Analysis date: 2014-10-01 18:43:52 UTC ( 1 day ago )  

 Probably harmless! There are strong indicators suggesting that this file is safe to use.


However, the analysis done by brendonfreely says differently.
0
*** Hopeleonie ***IT ManagerCommented:
Can you zip and upload the file for us?
I will also analyse it also.
0
brendonfeeleyCommented:
VirusTotal, whilst a good start in your investigations, only serves to illustrate how unreliable anti-virus is in terms of detecting malicious files.

VirusTotal, and other services like this, simply scan the file for detection using various anti-virus products.

The problem with anti-virus is that it is trivial to evade. Products such as packers and crypters obfuscate files in such a manner that they are functionally identical but look completely different in terms of file content.

For example, a piece of malware may use the Windows API call URLDownloadToFile (http://msdn.microsoft.com/en-us/library/ie/ms775123%28v=vs.85%29.aspx) to download and execute further malicious files to the victim machine. This is common in droppers.

An anti-virus provider may choose to signature this API call and mark all files doing this as a dropper. Therefore, in this extreme example, any executable file that has this in it's import table would trigger an AV alert.

However, take a known malicious file and pack it, even with something as simple as UPX, and the import table is changed and will no longer contain the API call (URLDownloadToFile in this example) and will no longer trigger AV.

That being said, don't misunderstand what I say. Anti-virus is good but be aware of it's limitations.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bankwestCTO/CashierAuthor Commented:
hopeleonie

Do you want it uploaded here as attachment (zipped)
0
David Johnson, CD, MVPOwnerCommented:
Did you upload the file to virustotal.com and what was the response.. uploading it here would not be a responsible action.
0
bankwestCTO/CashierAuthor Commented:
David

Yes I did and posted the results above.    I don't want to upload here, that is why I asked hopeleonie where to upload it.

I wasn't clear in my response, so sorry about that.
0
*** Hopeleonie ***IT ManagerCommented:
Then upload it to http://www.filedropper.com/ and post me the link.
Just told to upload it here because 99% it's not Malware.
0
bankwestCTO/CashierAuthor Commented:
hopeleonie

Sorry to be a pain, but I don't want to use a pay service to upload one file.   I see there is a free trial, but......

Would you be willing to give me your email address and I will email the zipped file to you?
0
*** Hopeleonie ***IT ManagerCommented:
http://www.filedropper.com/ is free. You just need to upload and post the link.

Ho to:
How to
0
bankwestCTO/CashierAuthor Commented:
http://www.filedropper.com/6feff9b68218417f98f549_1  


Here is the link for the file download.   I was out of office for a week, so sorry about the delay.
0
*** Hopeleonie ***IT ManagerCommented:
Hi

And what is the password?
0
bankwestCTO/CashierAuthor Commented:
??   It didn't ask to set a password.   It did give this link to share the file.

?


http://www.filedropper.com/6feff9b68218417f98f549_1
0
*** Hopeleonie ***IT ManagerCommented:
need your password for the zip
0
bankwestCTO/CashierAuthor Commented:
I didn't think I created a password for the file.   It didn't ask to set one, it just provided the link I could share.
0
aadihCommented:
FWIW: your .exe file is downloadable in a zip file. No password required. I has been so since you posted it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.