The virus (backdoor) DoublePulsar and miner (WINSec.exe/msiexev.exe)
First important information which I found out after a detailed study of the problem. The miner is just a symptom. Gets into a computer through a Backdoor he DOUBLEPULSAR. He DOUBLEPULSAR appeared online 12 April 2017, when a leak occurred in the Network utilities for hacking used by the National Security Agency of the United States. These utilities immediately got his hands on all and Sundry, and by the 15th of April, there were 1,951,075 servers infected with the Backdoor DOUBLEPULSAR. Miner which will be discussed in this thread use this backdoor. But through the backdoor on the computer may appear anything, so I wait for further developments.I have a virus survived the format hard disk, remove hard disk partitions, re-flash the BIOS and the router, format the flash drive with Windows, try to install Windows from another image - all to no avail. Still, 2 weeks later, no one has found the source of the appearance of this backdoor in the computer. So if you have described the theme of the miner, it more than likely appeared a backdoor through which this miner is downloaded.
The decision at the moment, there is only one: urgently to update Windows to the latest updates, and to close the 445 port. Microsoft wrote that in a recent update exploit ETERNALBLUE used in this bedorom, removed. He is knocking on the backdoor via port 445.
And please note - the latest version download miner files marked as system. So to see them, don't forget to enable viewing of system files in Folder options.
Here is a link to one I used in my sources:
http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/
In Russian version there, but all the important info I gave above.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here you can be infected if you do bedorom:
www.binaryedge.io/doublepulsar.html
(thanks to Embrace Futility)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
While it is not known whether this is walking (initially server) system servers Internet service providers, or simply roams the network in search of victims.
----------------------------
Such situation: if I leave the computer for minutes... well, let's say 10, and the load percent (Core i5 3570 @4.2 GHz) up to 90% on all cores. But it is necessary to open Task Manager or Process Explorer and load magically drops to zero (miner prosekaet and stops?).
Comp spontaneously rebooted when I was over there for about 30 minutes. There is no overheating, for sure. Even when the load is under 90% (temperature rises up to 65, but before the actual overheating is very far away).
And just noticed that the open (minimized) Task Manager suddenly spontaneously shut down.
--------------
The bottom line: Yes, I think by all indications it is a very smart-ass miner. But here's the problem - I just yesterday formatos. The problem was that to that after. And I'm neither their software nor their games, not updates for a month. And nothing new was shaking. So how could he take is unclear.
Have any suggestions on catching this miracle?
UPDATE:
Now found that:
C:Windows\Security\WINSec.exe
Eating 70-75% of the Prots. In my life I had ever seen. I will now Google. But I suspect that happiness in it.
UPDATE 2:
VirusTotal scan of the file:
https://www.virustotal.com/en/file/450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f/analysis/1493461158/
PS If anyone can find clear info on this rainbow, I'd appreciate it. And in Google only some vague bits and pieces.
Evermus wrote:
I have a program monitoring AIDA64 I found it hard and model
The model is in General sufficient. I want to see if there's some consistency in the actions of the author.
Evermus wrote:
Barracuda 7200.12 1000DM003
I have hard the same range.
dihlofos2009 wrote:
I don't that this stuff does not noticeably manifest itself
She is not seen after removal. Only after the format, when the backdoor is activated again. The problem is that if you do not cut backdoor, who knows what else through it may use in the future. That's why I so interested in finding the source.
In the zero sector on the drive the stuff is sitting and simple format, it is not dig! After reinstallation of system the computer itself and infect...
Can low-level format to try?
Have to write to the NSA and say let send us utilities to clean up their shit, once dirtied, let the shit and shovel, to teach it.
I have a Choate themselves bend some steel to close ISI of afterburner closed, after restarting, the error Fraps issued and closed, and restart dumb was a black Desk, then really ulagalo but the campaign system is covered with a copper basin, let's get a flash drive tomorrow from 10 wines and the April update to the warranty, and how inflated your updates on 7ku 6 year old so she is quite sick, the poor.
Even backups on the external hard will make the backdoor and it will litter anyway, obidki :(
Yesterday my Bank card was translated into $ 90 million from the U.S. Department of state, the money has not yet been removed but this is just weird.
Evermus wrote:
Even backups on the external hard will make the backdoor and it will litter anyway, obidki :(
I've long backups do, and have accumulated a lot of useful information. And fold it on other carriers too, now I'm afraid. XS what to do.
I don't know someone, useful infa or not: he picked it up on github script detection doublepulsar. https://github.com/countercept/doublepulsar-detection-script
Who knows, maybe you will understand better. I have worked on Win7 only detect_doublepulsar_smb.py when you specify the ip 127.0.0.1. Gave the message: No presence of DOUBLEPULSAR SMB implant. For another script out the error described here:
https://github.com/countercept/doublepulsar-detection-script/issues
dihlofos2009
Throw the old on Yandex disk, there is 10 gigs, and probably Google drive is) for 30 rubles on Yandex, you can buy another 10 gig for 80 PE 100 gig and 200 PE 1 TB, buy) is cheaper than external hard yusbi 3.0 will be released)
After all this crap under Windows only? If Yes, then you can rewrite the data on the computer under Linux... There is this thing doesn't clear up... maybe.
Evermus
Actually, while I did so. I have the benefit of freestuff 260 GB, which is enough for me for the eyes for a very long time.
Still wondering whether I have the stuff sitting somewhere in the boot sector, or in contrast to the author's topic, there was only a miner, trapped in some other way. Are there any other methods of detection, except the demolition of Windows and formatting... NOD and CureIT find nothing.
Also just now I got this shit. Drank as mentioned above: by removing full the folder security and prefetch in windows and clearing the Temp and browser cache, and the registry along with deleting the folder winsxx (it seems so was called, found her entering the search secscan). Batch file and DLL's no undesirable found. Day 3 - while flight normal... to Format/reinstall until you try - there is no need. I have system on SSD by the way, XS where there can then register this pulsar. But all this rigmarole is of course now highly annoying, as says the author of the theme knows what to expect now on... Remember how I barely managed to save the important old last year after he picked up the hellish crap that was doing your files are encrypted", so that was when I started inadvertently not the file. And what prevents now these Fuckers screwed the same crap to this pulsar? Tell me guys (probably many now the same dilemma), is it possible to close the hole without updating the entire system from the Borg? I have seven, ten go Oh how I want..
I'm not arguing that I'm most likely wrong, because what is used in the background infect the firmware of hard is extremely unlikely. But literally everything else I've cleaned. In total surrender, I just patched your image Windows update closing this exploit.
A day ago I had a paralysis of the left arm, for which I am forced to break off relations with programming. So I self-deleted out of the business and from the topic of the virus. Too difficult for me to print. With the exception of some comments in the blogs I'm more on PG appearing likely will not. Gone are the days when I could print his pleasure.
Good luck to everyone.
Nicest
The author just tell me, how do you think this is related to your activity or you have some other disease there?
I'm 30 and also have company spend a lot of time..
By chance (FINALLY!) came across this forum on a PG native, I thought one heap for that just googled, and only write nonsense on websites antivirals. Also in the beginning, rebooted the computer (critical error Windows). Thought lol into. Then the disk began to appear in the temp file with the name szml and so on and the logs that are already overthrown. Removed them > Malwarebytes everything he found. A couple of days normas. And in a few days. But, in my beginning there was a file 445.port or whatever it is and a sweatshirt of some kind, and stupid when you connect to the net. Read here how to close port 445, spice has not been cleaned previously miner, but once closed, the file stopped writing logs in tecovice and not hanging in the processes. Sit the third day, and so far without incident http://avfor.ru/obsuzhdenie-antivirusov-i-faiervolov/5426-firewall-zakrytie-portov-135-i-445-vruchnuyu.html.
Yeah I don't think this thing is really able to be registered somewhere in the firmware or the zero sector of the disk, sounds of science fiction, although the Pentagon/NSA(or whatever), you can expect all... But most likely this infection is just spread across multiple sites/servers and when you come there again - she is back and appears. Perhaps the author just after formatting and reinstalling something from the hardware/software goes to the Internet for updates/settings and there it touches on the new.
kvanch
Yes, the point is that here, too, sitting only in the VC and PG, well, Yandex weather, watch, play Diablo. Appears by itself. Formatting does not help. All sharply biocide, Explorer does not work, write, no access to task Manager all processes are marked as not responding. Well, the rebooting all over again
Mayenikus
so you try after it is formatted (full not quick) stay off the Internet (cut the cable for good measure). And again you're completely sure that none of your equipment/programs does not climb after that to Internet for updates/settings - it is likely that theirs server is also infected.