3 New Notifications

New Badge Earned
Get 1K upvotes on your post
Life choices of my cat
Earned 210

Drag Images here or Browse from your computer.

Trending Posts
Sorted by Newest First
r
rambling 04.04.20 01:26 am

The virus (backdoor) DoublePulsar and miner (WINSec.exe/msiexev.exe)

First important information which I found out after a detailed study of the problem. The miner is just a symptom. Gets into a computer through a Backdoor he DOUBLEPULSAR. He DOUBLEPULSAR appeared online 12 April 2017, when a leak occurred in the Network utilities for hacking used by the National Security Agency of the United States. These utilities immediately got his hands on all and Sundry, and by the 15th of April, there were 1,951,075 servers infected with the Backdoor DOUBLEPULSAR. Miner which will be discussed in this thread use this backdoor. But through the backdoor on the computer may appear anything, so I wait for further developments.
I have a virus survived the format hard disk, remove hard disk partitions, re-flash the BIOS and the router, format the flash drive with Windows, try to install Windows from another image - all to no avail. Still, 2 weeks later, no one has found the source of the appearance of this backdoor in the computer. So if you have described the theme of the miner, it more than likely appeared a backdoor through which this miner is downloaded.

The decision at the moment, there is only one: urgently to update Windows to the latest updates, and to close the 445 port. Microsoft wrote that in a recent update exploit ETERNALBLUE used in this bedorom, removed. He is knocking on the backdoor via port 445.

And please note - the latest version download miner files marked as system. So to see them, don't forget to enable viewing of system files in Folder options.

Here is a link to one I used in my sources:
http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/
In Russian version there, but all the important info I gave above.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here you can be infected if you do bedorom:
www.binaryedge.io/doublepulsar.html
(thanks to Embrace Futility)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

While it is not known whether this is walking (initially server) system servers Internet service providers, or simply roams the network in search of victims.

----------------------------

Such situation: if I leave the computer for minutes... well, let's say 10, and the load percent (Core i5 3570 @4.2 GHz) up to 90% on all cores. But it is necessary to open Task Manager or Process Explorer and load magically drops to zero (miner prosekaet and stops?).

Comp spontaneously rebooted when I was over there for about 30 minutes. There is no overheating, for sure. Even when the load is under 90% (temperature rises up to 65, but before the actual overheating is very far away).

And just noticed that the open (minimized) Task Manager suddenly spontaneously shut down.

--------------

The bottom line: Yes, I think by all indications it is a very smart-ass miner. But here's the problem - I just yesterday formatos. The problem was that to that after. And I'm neither their software nor their games, not updates for a month. And nothing new was shaking. So how could he take is unclear.

Have any suggestions on catching this miracle?

UPDATE:
Now found that:

C:Windows\Security\WINSec.exe

Eating 70-75% of the Prots. In my life I had ever seen. I will now Google. But I suspect that happiness in it.

UPDATE 2:
VirusTotal scan of the file:

https://www.virustotal.com/en/file/450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f/analysis/1493461158/

PS If anyone can find clear info on this rainbow, I'd appreciate it. And in Google only some vague bits and pieces.
236 Comments
Sort by:
J
JUnnAmmED 04.04.20

rambling
I have the same trouble I was,but helped me finding the process Manager (must be very fast to have time to click on the process and go to his location,until he was gone) and easy removal (but after the removal of only one thing can begin to emerge and others but have less loading system.I had them in the same way,but in the other locations and almost with the same name).

r
rambling 04.04.20

JUnnAmmED

What was your process? I'm more and more convinced that this Winsec.exe. As I wrote, eating 75% percent, plus no FileDescription or CompanyName, and Microsoft usually signs their files.

UPDATE: Stopped process - from 75% fell to 0. File Modified: Today, April 29, 2017, 2 hours ago. Quite strange, because I do not think that this component of Windows is so often modificeres. And even with a disabled AutoUpdates.
By the way, after the stop process has restarted...

z
zuuc 04.04.20

Read here https://www.bleepingcomputer.com/startups/Winsec.exe-18481.html
the campaign is a virus of some sort.

z
zuuc 04.04.20

net Windows there is no such file

M
Mur6666 04.04.20

rambling
Try the Kaspersky Virus Removal Tool clean computer, free utility with off site companies, at me too such problem was, constantly under video card load was utilitly went and found the miner, safely removed, more problems.

r
rambling 04.04.20

zuuc

Thanks, that's helpful. Unless the discrepancy is that the description file is located in %System%, and I have in WindowsSecurity. But apparently any sluchae virus.

Now did the install.your wim image Windows, so there is generally no WINSec of the file itself. It seems that the file didn't come from the installation.

zuuc wrote:
net Windows there is no such file
Yeah, just noticed it.

PS who deleted the file immediately recovered. Process Explorer shows that daddy he C:\Windows\Prefetch\secscan.exe.

r
rambling 04.04.20

A separate post - it. Removed the dad, and then the file itself. Nothing is restored, everything is fine. But I am very concerned that the virus somewhere in my files, given that it survived the format. Nothing to do, going to dig. Thank you all.

J
JUnnAmmED 04.04.20

rambling
I have tried a wood from NV to disguise themselves.The home was called,I think nvscp32.exe now I can't remember exactly.Lay it in its own folder (for example Temp183) and folders, MS and NV.Full path - C-users-username-appdata-roaming.It was a month and a half ago.No reinstalling Windows,no antivirus (Kasper,Web,Avast) did not clean it until the end,after a reboot it reappeared.Moreover,after removal of the tool through the Web he might have come up even without a reboot.Percent loaded under 100% (i5-2320).By the way,appeared exactly the same,literally from nothing.

z
zuuc 04.04.20

rambling
He may not be in the files, such as a website infected with this shit, you walked in and he immediately pulled you in. and it is prescribed in startup. And then you need to clean the registry, or after you reboot or next time you turn on the computer, he again can get into your system

r
rambling 04.04.20

zuuc wrote:
He may not be in the files, such as a website infected with this shit, you walked in and he immediately pulled you in.
Oh, I didn't think about that. This is very, very likely. I have been through hell what's left mirror I go to Pirate Bay. There's a whole bunch of crap in the opening pages, banners, and other crap. I suspect that from there. Again'd get along, I will look to appear or not. In the case lubiam already knew how to remove it and are going to formatted.
In the registry there is no mention of these files.

JUnnAmmED wrote:
Full path - C-users-username-appdata-roaming
Now I remember - Yes, also take caught and removed early. Fortunately not surfaced.

z
zuuc 04.04.20

rambling
try to find him and here HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Run
and here HKEY_CURRENT_USER\SOFTWARE \Microsoft \Windows \CurrentVersion \Run

r
rambling 04.04.20

zuuc
No. That is quite strange, because he restarted the computer (why?). I'm generally not concerned about his startup'om, because it is still going formatnut. I'm more concerned about where it came from. So now trying to restore the order of action since last format (the day before) and the monitor Prefetch\Temp.
But left mirror Bay definitely go not anymore.

z
zuuc 04.04.20

rambling
Good luck

r
rambling 04.04.20

zuuc
Thank you, and thank you for your help.

o
oscarbin 04.04.20

Hi, comrades.
Got the same miner a few days ago apparently. First, the services found DHSWIQU, in the process found a fake wininit.exe. Very good option is to run a search of the files on the CD ( datasonde:26.04.2017 .. 01.05.2017 ) - or the date when someone noticed activity/picked up. Continue to sort by type and see what exe-shnik, and bat-Niki appeared during this time and what new files are created in windows. To see what folders are suspiciously updated for the date. So it was possible to identify most of the left of files and changes. At the root of windows I found start.bat, which creates
%windir%\db.sdb
%windir%\Prefetch\secscan.exe
%windir%\security\WINSec.exe
accordingly, it is necessary to remove/cut. Still looking, found in the root Windows csrss.exe (the original should live in system32), un.exe, winsxslog.rar (which actually is the miner) and winsxslog the folder with the files from which it's run. And in the temporary files browser 1[1].exe, which probably was the source of this garbage. winsxslog.rar Kaspersky catches as a miner (RiskTool.Win64.BitCoinMiner), drweb caught nothing (there was a version from 29.04, when first found, may day is already all catches).
Inside the archive winsxslog.rar SystemIISSec.exe, SystemIIS.exe that may still be somewhere to pop up in temporary files.
In WindowsTemp new file format s1kk.exe and so. In the registry found secscan.exe in the services.
After the sudden wrong restarting, noticed a suspicious process secscan.exe using Process Explorer, which immediately closed, if you open the task Manager. And thanks to this topic began to look for, thanks.

For winsxslog miner in a search engine is searched for article
odminblog.EN/cpu-miner-exploit-windows/

update
Fresh CureIT catches secscan.exe 1[1].exe as virus.Spy.422,
and WINSec.exe Tool.BtcMine.948

r
rambling 04.04.20

oscarbin

The continued intrigue. These are all purely from my experience with this miner.

1) the miner is going through a format.
2) it's Not like he's in any of my files because I have modified them for a long time and nothing (absolutely nothing) is not pumping.
3) miner disguised as a Windows service And renames itself. I used to have secscan.exe (process-dad) and WINSec.exe. After the format was wuaupdate.exe process-dad; called something like that, can't remember exactly) and msiexev.exe. Although miner and dad are exactly the same.
4) This miner is disabled when you call up task manager'and to avoid detection. But if the task manager remains open, about five minutes into the process his dad close and restart the miner. But process explorer is not the case.
5) the Process-dad, why it restarts the computer after half an hour of absence of the user at the computer. Very rarely it can reboot the computer while working. In this case, it appears a critical error stating that the computer will restart in a minute.

And now the main intrigue. I dug up all your files and virus do not obnaruzhil, although he survived as much as two formats. But as soon as resetнул router for 24 hours did not recover any file of the process-the Pope, nor the miner. From which I conclude that as an option, something snuck into the router and forwarded it to download this miner.
This is supported by the fact that the files are on my desktop computer and on the laptop is absolutely identical, including absolutely all the installed programs and games. But on the laptop the virus is. And the laptop is connected via Wi-Fi (don't know has this attitude to jump miner or not).

And the last one. I have Overwatch constantly crashes with various error codes (only), even after reformatting, even on older versions of fire wood. And takes off in the time intervals from several minutes to several seconds. A couple of days ago, this was not. This is not a problem of the game (since no one with such a frequency of crashes) and drivers. Anyway, it seems this also applies to the virus. Just can't imagine why he launched a paw in Overwatch. Maybe the process-dad is rocking some kind of virus. It is difficult to say. This is the best after the removal of the miner and of the process of the Pope.

oscarbin wrote:
start.bat
db.sdb
csrss.exe
un.exe
winsxslog.rar
winsxslog
I only have it there... And there.

By the way recently very actual miner. From what I dug up in Google, many caught it in the last few days.

E
ExxErr 04.04.20

Scan the computer with this program - Malwarebytes Anti-Malware.
I have two of their systems, after verification, was surprised to find a dozen miners, although antiviruses remained stubbornly silent. And their presence is indicated to other things.

r
rambling 04.04.20

ExxErr

Already scanned with different programs including Malwarebytes. Miner-then it catches, but its source remains unknown. Miner appears after the format almost immediately, within a couple of hours. Given that I literally didn't fix anything and does not even run, the source of the miner are hard to find. And no, he's definitely not on the drive with Windows. I formatnul and altered with image Windows 2016 year.
So as I wrote in a previous post, the suspicion falls on the router.

V
Ves V Belom 04.04.20

Is it possible to connect to the network bypassing the router? This would confirm your theory, if the miner again will light up so that's not it(the router)

S
SKVERNING1 04.04.20

Wabmig.exe hiding folders in Windows Mail which are formed themselves in User/Appdata/Roaming disguised as games folder. Kill complete removal of this stuff (using Unlocker) and removing the entry from startup / scheduled tasks (with help of CCleaner).
This is exactly the kind of Maini Chinese, ship my vidyahi and warm, was killed so after some recent Repack. I hope the information will be useful to someone...