Solved

Is this file a Virus/Trojan

Posted on 2014-10-01
28
602 Views
Last Modified: 2014-11-06
I have discovered a file that some sites say is a Trojan.

Could this be related at all to the Cryptowall virus????


_6FEFF9B68218417F98F549.EXE
0
Comment
Question by:bankwest
  • 10
  • 7
  • 4
  • +3
28 Comments
 
LVL 24

Expert Comment

by:aadih
Comment Utility
Definitely suspicious. It'd be hard to say if it's related to cryptowall virus or not.
0
 
LVL 9

Expert Comment

by:dlb6597
Comment Utility
do you also have this path? "C:\Program Files\absolute software\absolute reminder\"

It appears to be part of the above app that is pre-installed on some manufacturers PC's
0
 

Author Comment

by:bankwest
Comment Utility
No.....    I do not have that path that you reference above.
0
 
LVL 24

Expert Comment

by:aadih
Comment Utility
If you remember when this file appeared, you could do a system restore to an earlier time.  The best way to system restore is to boot up in safe mode with command prompt and to type rstrui.exe to restore. It's worth a try.
0
 
LVL 9

Expert Comment

by:dlb6597
Comment Utility
it is possible the application could have been uninstalled, and the file you are concerned about was leftover...

This is the path where the file would be found if it was associated with absolute reminder.
Path:      C:\Windows\Installer\{40F4FF7A-B214-4453-B973-080B09CED019}\_6FEFF9B68218417F98F549.exe

More info here:

Here
0
 

Author Comment

by:bankwest
Comment Utility
We discovered the infection on 9-30 from files changed and modified on 9-29.

This is in a network environment so not a single PC to easily to a restore.      We do have backups to restore files, but I am trying to find out WHERE, WHO, HOW we got the Cryptowall virus so the file mentioned may not have anything to do with it but I am trying to investigate......

And for dlb6597...  No, There is nothing in the path for the Installer that you mentioned.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
The only real solution is to reimage everything from backups
You may want ot get the Cryptolocker Prevention Toolkit set of GPO's

http://www.thirdtier.net/downloads/CryptolockerWaystoaddExemptions.pdf
0
 
LVL 4

Expert Comment

by:brendonfeeley
Comment Utility
Do you have the file somewhere where you could send it to me in an encrypted archive?

I'd be more than happy to take a quick look at it in IDA to confirm what it is for you.
0
 

Author Comment

by:bankwest
Comment Utility
If you will tell me how to send to you, I will be happy to.  I can put in a zip file.  Attach it here?

Email????
0
 
LVL 4

Expert Comment

by:brendonfeeley
Comment Utility
Don't attach it here as it is probably malware. If you put it into a password protected zip file it will be encrypted and won't trigger anti-virus at any stage during sending.

If you message me, I'll give you my email address so you can send it over.
0
 
LVL 18

Expert Comment

by:hopeleonie
Comment Utility
Or upload _6FEFF9B68218417F98F549.exe to https://www.virustotal.com
0
 
LVL 4

Expert Comment

by:brendonfeeley
Comment Utility
Having looked at this in my analysis VM, this is definitely malware. Looks like a dropper. That is, it grabs further files for infection.

I found lots of information regarding the activity I observed by searching Google for the following:
ntvdm scs1 scs2

ntvdm is the process launched by the malware using the command line and scs1 and scs2 are created in the %TEMP% folder before being deleted.

The following links will be quite useful for your investigation:
https://www.virustotal.com/en/file/fce338990b1fd221cc5b3a76a455e191b31e610b477f2312d9d046e355f08424/analysis/
http://lavasoft.com/mylavasoft/malware-descriptions/blog/TrojanPSWWin32Zbot408fc130a6d

Specifically the Removal Instructions on the Lavasoft page.

Hope that helps.
0
 
LVL 18

Expert Comment

by:hopeleonie
Comment Utility
@bankwest
Did you upload _6FEFF9B68218417F98F549.exe to https://www.virustotal.com

and post us the results.
0
 

Author Comment

by:bankwest
Comment Utility
From Virustotal:

SHA256: c4f9066fb57d067e02ccc2457ce48733d9a41e3f1918946bb89beb708da7be05
File name: _6FEFF9B68218417F98F549.exe
Detection ratio: 0 / 55  
Analysis date: 2014-10-01 18:43:52 UTC ( 1 day ago )  

 Probably harmless! There are strong indicators suggesting that this file is safe to use.


However, the analysis done by brendonfreely says differently.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 18

Expert Comment

by:hopeleonie
Comment Utility
Can you zip and upload the file for us?
I will also analyse it also.
0
 
LVL 4

Accepted Solution

by:
brendonfeeley earned 500 total points
Comment Utility
VirusTotal, whilst a good start in your investigations, only serves to illustrate how unreliable anti-virus is in terms of detecting malicious files.

VirusTotal, and other services like this, simply scan the file for detection using various anti-virus products.

The problem with anti-virus is that it is trivial to evade. Products such as packers and crypters obfuscate files in such a manner that they are functionally identical but look completely different in terms of file content.

For example, a piece of malware may use the Windows API call URLDownloadToFile (http://msdn.microsoft.com/en-us/library/ie/ms775123%28v=vs.85%29.aspx) to download and execute further malicious files to the victim machine. This is common in droppers.

An anti-virus provider may choose to signature this API call and mark all files doing this as a dropper. Therefore, in this extreme example, any executable file that has this in it's import table would trigger an AV alert.

However, take a known malicious file and pack it, even with something as simple as UPX, and the import table is changed and will no longer contain the API call (URLDownloadToFile in this example) and will no longer trigger AV.

That being said, don't misunderstand what I say. Anti-virus is good but be aware of it's limitations.
0
 

Author Comment

by:bankwest
Comment Utility
hopeleonie

Do you want it uploaded here as attachment (zipped)
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
Did you upload the file to virustotal.com and what was the response.. uploading it here would not be a responsible action.
0
 

Author Comment

by:bankwest
Comment Utility
David

Yes I did and posted the results above.    I don't want to upload here, that is why I asked hopeleonie where to upload it.

I wasn't clear in my response, so sorry about that.
0
 
LVL 18

Expert Comment

by:hopeleonie
Comment Utility
Then upload it to http://www.filedropper.com/ and post me the link.
Just told to upload it here because 99% it's not Malware.
0
 

Author Comment

by:bankwest
Comment Utility
hopeleonie

Sorry to be a pain, but I don't want to use a pay service to upload one file.   I see there is a free trial, but......

Would you be willing to give me your email address and I will email the zipped file to you?
0
 
LVL 18

Expert Comment

by:hopeleonie
Comment Utility
http://www.filedropper.com/ is free. You just need to upload and post the link.

Ho to:
How to
0
 

Author Comment

by:bankwest
Comment Utility
http://www.filedropper.com/6feff9b68218417f98f549_1  


Here is the link for the file download.   I was out of office for a week, so sorry about the delay.
0
 
LVL 18

Expert Comment

by:hopeleonie
Comment Utility
Hi

And what is the password?
0
 

Author Comment

by:bankwest
Comment Utility
??   It didn't ask to set a password.   It did give this link to share the file.

?


http://www.filedropper.com/6feff9b68218417f98f549_1
0
 
LVL 18

Expert Comment

by:hopeleonie
Comment Utility
need your password for the zip
0
 

Author Comment

by:bankwest
Comment Utility
I didn't think I created a password for the file.   It didn't ask to set one, it just provided the link I could share.
0
 
LVL 24

Expert Comment

by:aadih
Comment Utility
FWIW: your .exe file is downloadable in a zip file. No password required. I has been so since you posted it.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now