Solved

Is this file a Virus/Trojan

Posted on 2014-10-01
28
661 Views
Last Modified: 2014-11-06
I have discovered a file that some sites say is a Trojan.

Could this be related at all to the Cryptowall virus????


_6FEFF9B68218417F98F549.EXE
0
Comment
Question by:bankwest
  • 10
  • 7
  • 4
  • +3
28 Comments
 
LVL 24

Expert Comment

by:aadih
ID: 40354993
Definitely suspicious. It'd be hard to say if it's related to cryptowall virus or not.
0
 
LVL 9

Expert Comment

by:dlb6597
ID: 40354995
do you also have this path? "C:\Program Files\absolute software\absolute reminder\"

It appears to be part of the above app that is pre-installed on some manufacturers PC's
0
 

Author Comment

by:bankwest
ID: 40355029
No.....    I do not have that path that you reference above.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 24

Expert Comment

by:aadih
ID: 40355045
If you remember when this file appeared, you could do a system restore to an earlier time.  The best way to system restore is to boot up in safe mode with command prompt and to type rstrui.exe to restore. It's worth a try.
0
 
LVL 9

Expert Comment

by:dlb6597
ID: 40355057
it is possible the application could have been uninstalled, and the file you are concerned about was leftover...

This is the path where the file would be found if it was associated with absolute reminder.
Path:      C:\Windows\Installer\{40F4FF7A-B214-4453-B973-080B09CED019}\_6FEFF9B68218417F98F549.exe

More info here:

Here
0
 

Author Comment

by:bankwest
ID: 40355085
We discovered the infection on 9-30 from files changed and modified on 9-29.

This is in a network environment so not a single PC to easily to a restore.      We do have backups to restore files, but I am trying to find out WHERE, WHO, HOW we got the Cryptowall virus so the file mentioned may not have anything to do with it but I am trying to investigate......

And for dlb6597...  No, There is nothing in the path for the Installer that you mentioned.
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40355164
The only real solution is to reimage everything from backups
You may want ot get the Cryptolocker Prevention Toolkit set of GPO's

http://www.thirdtier.net/downloads/CryptolockerWaystoaddExemptions.pdf
0
 
LVL 4

Expert Comment

by:brendonfeeley
ID: 40355311
Do you have the file somewhere where you could send it to me in an encrypted archive?

I'd be more than happy to take a quick look at it in IDA to confirm what it is for you.
0
 

Author Comment

by:bankwest
ID: 40355427
If you will tell me how to send to you, I will be happy to.  I can put in a zip file.  Attach it here?

Email????
0
 
LVL 4

Expert Comment

by:brendonfeeley
ID: 40355434
Don't attach it here as it is probably malware. If you put it into a password protected zip file it will be encrypted and won't trigger anti-virus at any stage during sending.

If you message me, I'll give you my email address so you can send it over.
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 40355436
Or upload _6FEFF9B68218417F98F549.exe to https://www.virustotal.com
0
 
LVL 4

Expert Comment

by:brendonfeeley
ID: 40355682
Having looked at this in my analysis VM, this is definitely malware. Looks like a dropper. That is, it grabs further files for infection.

I found lots of information regarding the activity I observed by searching Google for the following:
ntvdm scs1 scs2

ntvdm is the process launched by the malware using the command line and scs1 and scs2 are created in the %TEMP% folder before being deleted.

The following links will be quite useful for your investigation:
https://www.virustotal.com/en/file/fce338990b1fd221cc5b3a76a455e191b31e610b477f2312d9d046e355f08424/analysis/
http://lavasoft.com/mylavasoft/malware-descriptions/blog/TrojanPSWWin32Zbot408fc130a6d

Specifically the Removal Instructions on the Lavasoft page.

Hope that helps.
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 40357769
@bankwest
Did you upload _6FEFF9B68218417F98F549.exe to https://www.virustotal.com

and post us the results.
0
 

Author Comment

by:bankwest
ID: 40357919
From Virustotal:

SHA256: c4f9066fb57d067e02ccc2457ce48733d9a41e3f1918946bb89beb708da7be05
File name: _6FEFF9B68218417F98F549.exe
Detection ratio: 0 / 55  
Analysis date: 2014-10-01 18:43:52 UTC ( 1 day ago )  

 Probably harmless! There are strong indicators suggesting that this file is safe to use.


However, the analysis done by brendonfreely says differently.
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 40357942
Can you zip and upload the file for us?
I will also analyse it also.
0
 
LVL 4

Accepted Solution

by:
brendonfeeley earned 500 total points
ID: 40357957
VirusTotal, whilst a good start in your investigations, only serves to illustrate how unreliable anti-virus is in terms of detecting malicious files.

VirusTotal, and other services like this, simply scan the file for detection using various anti-virus products.

The problem with anti-virus is that it is trivial to evade. Products such as packers and crypters obfuscate files in such a manner that they are functionally identical but look completely different in terms of file content.

For example, a piece of malware may use the Windows API call URLDownloadToFile (http://msdn.microsoft.com/en-us/library/ie/ms775123%28v=vs.85%29.aspx) to download and execute further malicious files to the victim machine. This is common in droppers.

An anti-virus provider may choose to signature this API call and mark all files doing this as a dropper. Therefore, in this extreme example, any executable file that has this in it's import table would trigger an AV alert.

However, take a known malicious file and pack it, even with something as simple as UPX, and the import table is changed and will no longer contain the API call (URLDownloadToFile in this example) and will no longer trigger AV.

That being said, don't misunderstand what I say. Anti-virus is good but be aware of it's limitations.
0
 

Author Comment

by:bankwest
ID: 40358093
hopeleonie

Do you want it uploaded here as attachment (zipped)
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40358172
Did you upload the file to virustotal.com and what was the response.. uploading it here would not be a responsible action.
0
 

Author Comment

by:bankwest
ID: 40358209
David

Yes I did and posted the results above.    I don't want to upload here, that is why I asked hopeleonie where to upload it.

I wasn't clear in my response, so sorry about that.
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 40358721
Then upload it to http://www.filedropper.com/ and post me the link.
Just told to upload it here because 99% it's not Malware.
0
 

Author Comment

by:bankwest
ID: 40359386
hopeleonie

Sorry to be a pain, but I don't want to use a pay service to upload one file.   I see there is a free trial, but......

Would you be willing to give me your email address and I will email the zipped file to you?
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 40361828
http://www.filedropper.com/ is free. You just need to upload and post the link.

Ho to:
How to
0
 

Author Comment

by:bankwest
ID: 40379859
http://www.filedropper.com/6feff9b68218417f98f549_1  


Here is the link for the file download.   I was out of office for a week, so sorry about the delay.
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 40388637
Hi

And what is the password?
0
 

Author Comment

by:bankwest
ID: 40391950
??   It didn't ask to set a password.   It did give this link to share the file.

?


http://www.filedropper.com/6feff9b68218417f98f549_1
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 40418433
need your password for the zip
0
 

Author Comment

by:bankwest
ID: 40419414
I didn't think I created a password for the file.   It didn't ask to set one, it just provided the link I could share.
0
 
LVL 24

Expert Comment

by:aadih
ID: 40419424
FWIW: your .exe file is downloadable in a zip file. No password required. I has been so since you posted it.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to handle Ransom ware 23 115
What to look for in Fraud Protection Solutions  PoC 1 80
do i need anti virus software with windows 10? 13 97
MS Endpoint Protection 2 73
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question