The virus (backdoor) DoublePulsar and miner (WINSec.exe/msiexev.exe)
First important information which I found out after a detailed study of the problem. The miner is just a symptom. Gets into a computer through a Backdoor he DOUBLEPULSAR. He DOUBLEPULSAR appeared online 12 April 2017, when a leak occurred in the Network utilities for hacking used by the National Security Agency of the United States. These utilities immediately got his hands on all and Sundry, and by the 15th of April, there were 1,951,075 servers infected with the Backdoor DOUBLEPULSAR. Miner which will be discussed in this thread use this backdoor. But through the backdoor on the computer may appear anything, so I wait for further developments.I have a virus survived the format hard disk, remove hard disk partitions, re-flash the BIOS and the router, format the flash drive with Windows, try to install Windows from another image - all to no avail. Still, 2 weeks later, no one has found the source of the appearance of this backdoor in the computer. So if you have described the theme of the miner, it more than likely appeared a backdoor through which this miner is downloaded.
The decision at the moment, there is only one: urgently to update Windows to the latest updates, and to close the 445 port. Microsoft wrote that in a recent update exploit ETERNALBLUE used in this bedorom, removed. He is knocking on the backdoor via port 445.
And please note - the latest version download miner files marked as system. So to see them, don't forget to enable viewing of system files in Folder options.
Here is a link to one I used in my sources:
http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/
In Russian version there, but all the important info I gave above.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here you can be infected if you do bedorom:
www.binaryedge.io/doublepulsar.html
(thanks to Embrace Futility)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
While it is not known whether this is walking (initially server) system servers Internet service providers, or simply roams the network in search of victims.
----------------------------
Such situation: if I leave the computer for minutes... well, let's say 10, and the load percent (Core i5 3570 @4.2 GHz) up to 90% on all cores. But it is necessary to open Task Manager or Process Explorer and load magically drops to zero (miner prosekaet and stops?).
Comp spontaneously rebooted when I was over there for about 30 minutes. There is no overheating, for sure. Even when the load is under 90% (temperature rises up to 65, but before the actual overheating is very far away).
And just noticed that the open (minimized) Task Manager suddenly spontaneously shut down.
--------------
The bottom line: Yes, I think by all indications it is a very smart-ass miner. But here's the problem - I just yesterday formatos. The problem was that to that after. And I'm neither their software nor their games, not updates for a month. And nothing new was shaking. So how could he take is unclear.
Have any suggestions on catching this miracle?
UPDATE:
Now found that:
C:Windows\Security\WINSec.exe
Eating 70-75% of the Prots. In my life I had ever seen. I will now Google. But I suspect that happiness in it.
UPDATE 2:
VirusTotal scan of the file:
https://www.virustotal.com/en/file/450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f/analysis/1493461158/
PS If anyone can find clear info on this rainbow, I'd appreciate it. And in Google only some vague bits and pieces.
- Rick Sk1mmer -
I stand 2 antivirus. Casper and nod. + every week scanning the system with voice hitmanpro. I do not like when the system is foul of all sorts.
Do PCA for the tip. I will be careful.
MikuHadsune
I stand 2 antivirus. Casper and nod
If there is a product an uncle Zhenya, the node can safely be removed, the Casper self-sufficient, and NOD32 only duplicates the same functions, more resources and bite off slowly. In General, the zoo of the two antivirals not the best idea (especially if there is already a Casper, Dr web, or another similar processor), but all sorts of utility like already mentioned you hitmanpro, Malwarebytes and other very good for further testing.
kvanch
Well, as it's one thing when holes uses only the NSA (Yes, health) and another thing, when I use them everything and Sundry, and everyone wants to see what I have on the system, but also to encrypt them with extortion or start mine. :)
Hi all. In General, the situation is this: in the list of installed updates I don't have KB971033(validation), but the list of update history it is(I downloaded all the update but not yet tried), how to be, where is the download folder of the app and how(whether) it is correct to remove? Or KB971033 will still have to installit and then to hide?
https://www.comss.ru/page.php?id=4038
and it looks like our friend the miner) and then got credit for any encoder, although the first miner began using the backdoor to get pregnant
Cheto I did not understand all these bitcoins have the same sort of banned in Russia (and not only)? As if the people owe them to buy them and translate? Bad or banned?
The researchers recommended to install on the machine with the latest patches from Microsoft or disable the SMB service, if you are not able to update.
That prop-but did. Pretty much disabled that service and never flew.
Close the 445 port for incoming connections through a firewall the Windows and rejoice.
No More Lies
Well, after programs and features in any case, to remove the updates as a normal program. If you have already downloaded but not installed and not hidden, may need to be moved by hand (via remove programs) after you install and activate again Windows, if you lose your place.
If no one post:
https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2FWinsec
In General, the guys, on the miner seems to continue working. I have it already loaded with being closed port 445, although 2 weeks everything was fine, now they are the new way to download it I guess. Got the same as before (just played Overwatch) Absolutely everything except the game was closed.
Or maybe a port like that he has recovered and is using it again this infection is loaded, I don't know what to think.
Include today, the computer, the sounds on it for 10 minutes, then I hear a whistle .... looked, frequency vidyahi jumped to the max O_o I first palsonic of frequencies to the minimum reduced through a program msi afterburner and the whistling stopped, climbed immediately into the task Manager -> details
And stumbled upon the process wabmig.... opened its location(\user\AppData\Roaming\Raptr\Windows Mail). Then he quickly completed the process and vidyaha immediately came to order. Now we understand what it's for wabmig and where is he?!
Hmm.. same problem for miners what is on the PC climbed
was Windows 7 on it climbs a critical error of Windows or something like this.. decided to reinstall Windows
like clean Windows, no hint of the virus but a day later, the PC began to lag and slow down constantly blue screen climbs
if some sort of load on the comp is even though there is nothing really not rocked except for games like you..
now found what the crap type DoublePulsar and EternalBlue
downloaded Malwarebytes scanned the PC found the Trojans and miners what is
Shaw those things I do not know and how to fight them I don't know
and in summer caught the virus wannacry after he had Windu has changed 4 times then with grief in half have downloaded some Kaspersky antivirusnik like and feel better. but here again the trouble came unexpectedly from the corner
Found virus miner Hostxmrig.exe in the task Manager. Loaded the CPU to 100 percent.
Location:\Windows\system32 folder . In installed programs, where it appeared the program indus.exe (location:\Programdata) it in the folder was DoublePulsar.exe was also self-archive it seems setup.exe.(You can configure the Date modified - view and all the files appeared in system32 folder and Programdata)
DrWeb Cureit - finds - delete manually. Manager disable all svchost.exe - since it does not allow you to remove. My suspicions on torrent and acestream ...
