The virus (backdoor) DoublePulsar and miner (WINSec.exe/msiexev.exe)
First important information which I found out after a detailed study of the problem. The miner is just a symptom. Gets into a computer through a Backdoor he DOUBLEPULSAR. He DOUBLEPULSAR appeared online 12 April 2017, when a leak occurred in the Network utilities for hacking used by the National Security Agency of the United States. These utilities immediately got his hands on all and Sundry, and by the 15th of April, there were 1,951,075 servers infected with the Backdoor DOUBLEPULSAR. Miner which will be discussed in this thread use this backdoor. But through the backdoor on the computer may appear anything, so I wait for further developments.I have a virus survived the format hard disk, remove hard disk partitions, re-flash the BIOS and the router, format the flash drive with Windows, try to install Windows from another image - all to no avail. Still, 2 weeks later, no one has found the source of the appearance of this backdoor in the computer. So if you have described the theme of the miner, it more than likely appeared a backdoor through which this miner is downloaded.
The decision at the moment, there is only one: urgently to update Windows to the latest updates, and to close the 445 port. Microsoft wrote that in a recent update exploit ETERNALBLUE used in this bedorom, removed. He is knocking on the backdoor via port 445.
And please note - the latest version download miner files marked as system. So to see them, don't forget to enable viewing of system files in Folder options.
Here is a link to one I used in my sources:
http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/
In Russian version there, but all the important info I gave above.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here you can be infected if you do bedorom:
www.binaryedge.io/doublepulsar.html
(thanks to Embrace Futility)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
While it is not known whether this is walking (initially server) system servers Internet service providers, or simply roams the network in search of victims.
----------------------------
Such situation: if I leave the computer for minutes... well, let's say 10, and the load percent (Core i5 3570 @4.2 GHz) up to 90% on all cores. But it is necessary to open Task Manager or Process Explorer and load magically drops to zero (miner prosekaet and stops?).
Comp spontaneously rebooted when I was over there for about 30 minutes. There is no overheating, for sure. Even when the load is under 90% (temperature rises up to 65, but before the actual overheating is very far away).
And just noticed that the open (minimized) Task Manager suddenly spontaneously shut down.
--------------
The bottom line: Yes, I think by all indications it is a very smart-ass miner. But here's the problem - I just yesterday formatos. The problem was that to that after. And I'm neither their software nor their games, not updates for a month. And nothing new was shaking. So how could he take is unclear.
Have any suggestions on catching this miracle?
UPDATE:
Now found that:
C:Windows\Security\WINSec.exe
Eating 70-75% of the Prots. In my life I had ever seen. I will now Google. But I suspect that happiness in it.
UPDATE 2:
VirusTotal scan of the file:
https://www.virustotal.com/en/file/450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f/analysis/1493461158/
PS If anyone can find clear info on this rainbow, I'd appreciate it. And in Google only some vague bits and pieces.
kvanch
https://www.comss.ru/page.php?id=907 free version
https://www.comss.ru/page.php?id=1334 and it paid,and it is possible for the tracker to look for
kvanch
Damn are you kidding me? How to upgrade is not an option, when the option. Here is a direct one post above wrote that to do. Hide update KB971033 and all will be updated without dropping the activation, no matter what pirates will become officially.
oscarbin
For me, the main task is to directly close the hole so no more shit without my permission did not arrive. And I think I have successfully solved this problem by simply disabling this service problem (it is not clear what is intended, it is believed that the Borg specifically for the NSA did it). And what are they did I pay for it only they know. For several years I set up my OS under itself, and if after these upgrades everything will fly to hell.. in Short the extra crap I do not need.
Evermus
ok thanks
on torrents not found a premium version downloaded from the website som free
I hope she's just out there without virusni?
After upgrading to Win 7(64) stopped running. Built-in diagnostics solved the problem, I think back of using. How to be? how to update pirates, is it possible?) And what about the activation? after a while it flies?
kvanch
Free version the link is a regular monitor the keys he catches encoders and 2016 is not supported by the developers. I use a name assigned firewall like the screenshot on the off site https://www.spyshelter.com but I lituchy key just.
There are many update of the pirate problem.
I can to all who need patched Windows 7 issue patched all updates install.wim to install the latest Windows (end of April 2017). Pirates you or litsuha doesn't matter.
It is completely legal. No cracks or activators, just patched the native image Windows 7 SP1 Ultimate (x86/x64) until April 2017.
Only one catch. My Windows is English, because doing for yourself. If you have English Windows not a problem - knock. Will issue completely ready and patched. Torrent or than you are comfortable. I repeat, this is legal. No activators or keys.
This decision, of course, only the most extravagant personalities. :) But you never know are there. Personally, I'm after NSA leaks utilities chose to completely capacity your image Windows. DoublePulsar was only one of the leaked backdoors. There will likely be more. Not to grab his ass with the ports and not to panic with updates, I your way the Windows once patched. The best solution, IMHO.
ziborov.s
Exactly this Update Pack'om my fully patched Windows 7 SP1 Ultimate (x86/x64). What and offer. The image where everything is ready. And then even bathe in the activators - your business.
ziborov.s
Downloaded, what next with this pack to do, how to upgrade that activation is not flew?
kvanch
http://spaces.ru/files/view/?Li=466711498258&Lii=5581256805&Link_id=202787&Lt=8&Sn=1&from=search&Read=55812568&name=DusiaS
ziborov.s
Thanks for the link to SpyShelter, I hope there is no catch.
Please tell me again how this pack with updates set, so that activation is not flew.
kvanch
Activation not fly off. Updates killing the activation of Paka excluded.
And I repeat, it is better to patch an image of Windows, after each installing not to sit for an hour without the Internet until the updates are installed and look at the ceiling.
https://intel.malwaretech.com/WannaCrypt.html
interactive map, on which you can see in what country are someone burnt farts from encoder)
per minute 36 computers namical, for the hours would be 2160, and 24 hours 52 thousand computers, severely
rambling
So this pack just to run it? To change anything there it is not necessary?
I'm a little differently installation to spend.
Install/configure everything as I need, then take off full system drive image using Norton Ghost and just with a bootable USB drive and run Ghost sector-by-sector it literally restores (overwrites) the drive from that image. 5 minutes and you're done. Serious save time on formatting and settings. But for this we must of course initially be put in order.
TRY SpyHunter - adaptive spyware detection and removal spyware. Provides continuous protection from the latest malware, Trojans, rogue antivirus. System includes Compact OS to securely delete rootkits. I cleaned my computer from annoying ads and self-installed crap from Yandex browser, etc.
In short, I read on the net about this stuff, all of it is clear.
Algorithm:
1. Kolhatkar runs the program scanner scans a range of IP addresses. For example, one of them turned out to be and your IP.
2. Ceceda open port 445 on your machine or not: (say and need to close the 139 port)
a) if closed - the virus passes
b) if the open - p. 3
3. Actually, in Windows there is such a standard SMB service, which listens on port 445. So this service is a hole in all Sindos-axes.
In fact, through this hole (which is called Xia ETERNALBLUE) to your comp loaded the exploit DOUBLEPULSAR, which in turn loads the cipher.
What to do? Solution:
- install the update MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx in it , MS closed the hole
- close port 445 (you can slash through the registry, but it is much easier and faster to hide through the corresponding rule in the firewall/antivirus)
BUT that's not all:
4. Even if you put the update and hid the port, you are still susceptible to Trojan. Exploit DOUBLEPULSAR can get you on the computer is the most obvious way: from the Internet or from another computer. Once you have on your computer, it still downloads the cipher and begins to do his business.
The point is that the vulnerability ETERNALBLUE and DOUBLEPULSAR work together, if not from the net, so via vulnerability an exploit gets to a machine and shakes code the main body of the virus.
What to do? Solution:
- put the protection from light. Even if you have on your computer will be doublepulsar, each time you try to run downloaded the cipher utility will cut it down.
But this does not relieve your system from the exploit. However, all network activity can otmonitoreny and to identify the executable file of the malware and then remove.
It is useful:
- put AntiVir
- to backup data
- Rick Sk1mmer wrote:in Windows there is such a standard service SMB
It would be nice to answer the question: what actually is this service necessary to the ordinary user of win7 and than a bad way with its complete shutdown?
It is also interesting to see how the through the registry to close the 445 port.
kvanch
why this service is necessary to the ordinary user of win7 and than a bad way with its complete shutdown?
Well lost total access to your files and folders with other computers on your local network (if any) 
Oh well, if only he yuzaesh your pitch, you can safely disable (via registry):
//
HKLM\SYSTEM\ CurrentControlSet\Services\Netbt\Parameters
create setting SMBDeviceEnabled (REG_DWORD type)
values: 1 (enabled) 0 (disabled - default)
//
It is also interesting to see how the through the registry to close the 445 port
On 8ке and higher off two lines at the command prompt, 7ke I tried so http://netler.ru/ikt/445.htm
Was or not did not understand, in the end just hid them through the firewall. But don't forget also to hide and 139 port.
In General, anything that is below 8, when hiding in the registry 445 port some crap happens in one place like closed, and when proveryali port on accessibility - it is displayed as open. XS XS.
Oh Yes, there program windows worms doors cleaner, with its help you can easily hide some of the popular ports, but I think it is for XP, I anyway it didn't work.