The virus (backdoor) DoublePulsar and miner (WINSec.exe/msiexev.exe)
First important information which I found out after a detailed study of the problem. The miner is just a symptom. Gets into a computer through a Backdoor he DOUBLEPULSAR. He DOUBLEPULSAR appeared online 12 April 2017, when a leak occurred in the Network utilities for hacking used by the National Security Agency of the United States. These utilities immediately got his hands on all and Sundry, and by the 15th of April, there were 1,951,075 servers infected with the Backdoor DOUBLEPULSAR. Miner which will be discussed in this thread use this backdoor. But through the backdoor on the computer may appear anything, so I wait for further developments.I have a virus survived the format hard disk, remove hard disk partitions, re-flash the BIOS and the router, format the flash drive with Windows, try to install Windows from another image - all to no avail. Still, 2 weeks later, no one has found the source of the appearance of this backdoor in the computer. So if you have described the theme of the miner, it more than likely appeared a backdoor through which this miner is downloaded.
The decision at the moment, there is only one: urgently to update Windows to the latest updates, and to close the 445 port. Microsoft wrote that in a recent update exploit ETERNALBLUE used in this bedorom, removed. He is knocking on the backdoor via port 445.
And please note - the latest version download miner files marked as system. So to see them, don't forget to enable viewing of system files in Folder options.
Here is a link to one I used in my sources:
http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/
In Russian version there, but all the important info I gave above.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here you can be infected if you do bedorom:
www.binaryedge.io/doublepulsar.html
(thanks to Embrace Futility)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
While it is not known whether this is walking (initially server) system servers Internet service providers, or simply roams the network in search of victims.
----------------------------
Such situation: if I leave the computer for minutes... well, let's say 10, and the load percent (Core i5 3570 @4.2 GHz) up to 90% on all cores. But it is necessary to open Task Manager or Process Explorer and load magically drops to zero (miner prosekaet and stops?).
Comp spontaneously rebooted when I was over there for about 30 minutes. There is no overheating, for sure. Even when the load is under 90% (temperature rises up to 65, but before the actual overheating is very far away).
And just noticed that the open (minimized) Task Manager suddenly spontaneously shut down.
--------------
The bottom line: Yes, I think by all indications it is a very smart-ass miner. But here's the problem - I just yesterday formatos. The problem was that to that after. And I'm neither their software nor their games, not updates for a month. And nothing new was shaking. So how could he take is unclear.
Have any suggestions on catching this miracle?
UPDATE:
Now found that:
C:Windows\Security\WINSec.exe
Eating 70-75% of the Prots. In my life I had ever seen. I will now Google. But I suspect that happiness in it.
UPDATE 2:
VirusTotal scan of the file:
https://www.virustotal.com/en/file/450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f/analysis/1493461158/
PS If anyone can find clear info on this rainbow, I'd appreciate it. And in Google only some vague bits and pieces.
kvanch
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Well, the question, put a specific patch that closes this hole. Or you don't trust the official Microsoft that it is not ready to put even their own patches?
ThChrgdCrpr
like a circle of alcoholics anonymous, isn't it? =)
there people also come together to solve the problem, and share successes with each other and eventually cured)
Evermus
Hell knows what this looks like, but the fact that I read the whole topic - the fact :).
Question a little off topic, I read the whole topic and decided maybe someone knows what it is. I have recently began to disappear from the Internet for 1-2 seconds, sometimes very annoying (in game). Tried reinstalling drivers, resetting the router and reinstalling Windows, checked for viruses, eventually nothing helped. Who knows what it could be?
0Bers0
I have already said, since the laptop is connected via wi-fi this does not happen. Yes, and I'm now hooked up to the Internet without a router and watch until the evening. If waste is not, then have the router to change)
oscarbin
oscarbin wrote:Well, the question, put a specific patch that closes this hole.
Tried, the update installer complains: encountered an error the specified service cannot be started because it is disabled or unavailable... blah blah blah...
Somewhere something is disabled in the registry or the scheduler I did to find out what the problem is now neither the time nor the inclination.
Turned off just this found in smbv1 and it suits me (local network on my computer and never have).
oscarbin wrote:Or you don't trust the official Microsoft that it is not ready to put even their own patches?
And how they generally can be trusted, given that they made this hole and it is believed that no accident..
Who knows what else made for their own government and the NSA )
Yesterday, the miner recovered loading process msiexev.exe as indicated in the first message of the topic.
The path is displayed in the Fonts folder with fonts, but there's nothing there. Found in the folder User folder NTUSER.DAT set up as yesterday.
In the folder C:\Windows\Temp folder text document is also from the same miner, though here it is through safe mode removed but safely restored at startup in normal mode.
Formally solved the problem, just suspend the process using Process Explorer. Because if you kill them they immediately restored.
Executable I found, I'll keep thinking. At least now not ship percent.
Funny wrote:
The path is displayed in the Fonts folder with fonts, but there's nothing there.
The files are hidden to Windows Explorer. Try total commander, or other non-native file Manager, and better progeny system hitmanpro.
I also had my first winsec, then msiexev.
For itself solved a problem so:
-Installed all Win7 updates, the benefit of activation is adequate. (blocked pulsar)
-Closed port 445, removed from a security policy all entries associated with it (blocked jump in parasites)
-Drove system hitmanpro (caught a miner and tails)
-In the registry was demolished a section relating to prefetch (stopped creating folders at boot loader for Windows)
I suspect that the tails still remained, but the search for them neither the strength nor the desire. To perestanavlivat system as well.
As a result: 48 hours in trial mode, all clean.
PS, I Registered solely to Express my gratitude to Mr. rambling, without his information and reflection the case for me most likely would have ended up reinstalling system.
Country where you shit picked up? I'm all clear. In a simple load % and 1-3%, the Monitor for the sake of interest system all day. Everything is clean.
In General, miners, etc. viral stuff is very well rounded app in Hitmanpro*
MikuHadsune
someone with Repack, someone from the website to someone this stuff by itself to the port knocking. the virus is very common. enough just to read the topic to understand.
MikuHadsune
He finds you himself, enough to have the Windows without patch, white ip and Internet port 445. And if the local network is already infected machine, it will last only windows without updates.
MikuHadsune
Wrote the user above, he found us. It does not need somewhere to climb.
I even sat in Overwatch just played, nothing more openly was not only over, the browser closed and all sorts of programs too.
Suddenly the game is wildly different, I barely got out... And then I noticed that the percents are loaded on 100%
Closed the port 445 from sin. And generally it is strange. Interestingly, this viral only in the CIS walks? Just I have not heard anything about this virus.
MikuHadsune
Closed the port 445 from sin
Now the main thing from the Internet will not catch an exploit. Because many neglect this point, believing that conventional Trojans is nonsense. But the cryptographer in the current bendora encodes persistent 2048 bit RSA key, and at the moment no method of deciphering, so if you have really important documents that should not be lost, important files, well, better in any case take away them.
this viral only in the CIS walks?
Does above link for an interactive map of the spread of the virus have already given.