The virus (backdoor) DoublePulsar and miner (WINSec.exe/msiexev.exe)
First important information which I found out after a detailed study of the problem. The miner is just a symptom. Gets into a computer through a Backdoor he DOUBLEPULSAR. He DOUBLEPULSAR appeared online 12 April 2017, when a leak occurred in the Network utilities for hacking used by the National Security Agency of the United States. These utilities immediately got his hands on all and Sundry, and by the 15th of April, there were 1,951,075 servers infected with the Backdoor DOUBLEPULSAR. Miner which will be discussed in this thread use this backdoor. But through the backdoor on the computer may appear anything, so I wait for further developments.I have a virus survived the format hard disk, remove hard disk partitions, re-flash the BIOS and the router, format the flash drive with Windows, try to install Windows from another image - all to no avail. Still, 2 weeks later, no one has found the source of the appearance of this backdoor in the computer. So if you have described the theme of the miner, it more than likely appeared a backdoor through which this miner is downloaded.
The decision at the moment, there is only one: urgently to update Windows to the latest updates, and to close the 445 port. Microsoft wrote that in a recent update exploit ETERNALBLUE used in this bedorom, removed. He is knocking on the backdoor via port 445.
And please note - the latest version download miner files marked as system. So to see them, don't forget to enable viewing of system files in Folder options.
Here is a link to one I used in my sources:
http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/
In Russian version there, but all the important info I gave above.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here you can be infected if you do bedorom:
www.binaryedge.io/doublepulsar.html
(thanks to Embrace Futility)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
While it is not known whether this is walking (initially server) system servers Internet service providers, or simply roams the network in search of victims.
----------------------------
Such situation: if I leave the computer for minutes... well, let's say 10, and the load percent (Core i5 3570 @4.2 GHz) up to 90% on all cores. But it is necessary to open Task Manager or Process Explorer and load magically drops to zero (miner prosekaet and stops?).
Comp spontaneously rebooted when I was over there for about 30 minutes. There is no overheating, for sure. Even when the load is under 90% (temperature rises up to 65, but before the actual overheating is very far away).
And just noticed that the open (minimized) Task Manager suddenly spontaneously shut down.
--------------
The bottom line: Yes, I think by all indications it is a very smart-ass miner. But here's the problem - I just yesterday formatos. The problem was that to that after. And I'm neither their software nor their games, not updates for a month. And nothing new was shaking. So how could he take is unclear.
Have any suggestions on catching this miracle?
UPDATE:
Now found that:
C:Windows\Security\WINSec.exe
Eating 70-75% of the Prots. In my life I had ever seen. I will now Google. But I suspect that happiness in it.
UPDATE 2:
VirusTotal scan of the file:
https://www.virustotal.com/en/file/450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f/analysis/1493461158/
PS If anyone can find clear info on this rainbow, I'd appreciate it. And in Google only some vague bits and pieces.
People flew through this virus that is hanging in the RAM miner secscan and winsec, I deleted them 10 times in the end installing the update on all seven recovered, but the problem was that this update conflicts with my desired program that I often need to use and it works only under seven, there is a way to remove the update and protected for sure?
Embrace the Futility wrote:
He dies from restarting the computer
Hmm, in this case, it is clear why nothing is restored after a careful removal. Thank you.
LichGod wrote:
the thing from this update that conflicts with my desired program that I often need to use and it works only under seven, there is a way to remove the update and protected for sure?
As advised by Embrace Futility, to close port 445. The idea is to help. But still and poputchitsa it would be better.
Frankie Zima
In your router settings (if available) or through a Firewall (Firewall). What's your router or some Firewall'om you are I don't know, so to continue to help can't. It is better to Google.
Frankie Zima
Control panel\System and security\Windows Firewall
Left advanced settings. In the opened window, click-click inbound Rules -> right will Create a new rule. Then he will understand.
rambling
In addition there are some useful actions?
AR3E wrote:
In addition there are some useful actions?
In addition to closing the port, it is better to update the system, but overall nothing new. Infection climbs directly, so there's other options really is not. To close the port well. But to close the exploit itself is also very not hurt.
tin and I thought I screw served the old ones, rebooted the computer constantly with an error message and the CPU was loaded, but I realized later, because some games that worked before standards started to lag, dr web cureit found secscan.exe 1[1].exe as virus.Spy.422 and WINSec.exe Tool.BtcMine.948, removed, even after Malwarebytes ran, I have a lot of things in the registry found, but that would apply to WINSec.exe nothing in the services Windows Security is missing, plus the 445 port is closed, update hard, as Windows pirate 5 years ago and God knows how I activated it, after all done operations site says that my IP is clean and have a day the computer is working fine, viral more does not get out ugh ugh ugh!
Oh guys, it's just pesos
I also have this garbage
What do you think, Winsec is directly linked with this virus the extortioner?
Alex Kanevsky
Vincek and virus extortionist use the backdoor and an exploit like the taxi driver who drives drunken friends home) the Taxi driver is the same, and different passengers) passengers can be any virus :) If you do not disable this driver by installing the March update on Windows, closing port 445, to your computer lomanutsya Topla liquor)
Evermus
Notably neighing of your comment.) All gorgeous and well painted. Let me remind you only one thing: in the next months will even dissolve a lot of viruses. Appetite Windu and close port 445. Urgent. It is very likely that what is happening now, you seem Paradise in comparison with what else awaits us.
Lol KEK pasties, guys, programmers, sysadmin and people: explain how complex events need to do to completely remove this infection?
It is advisable to paint the points)
Alex Kanevsky
To reinstall Windows, for example, continue to think a head where to go and why.
Alex Kanevsky wrote:
explain what set of events need to do to completely remove this infection?
God, it's 250 times painted. Close 445 port, upgrade Windows. Or have you already picked up, and you need to remove? What do you have? Miner or extortionist?
- Rick Sk1mmer wrote:
to think a head where to go and why
You are fundamentally wrong. Infection climbs directly through the ports. Even though the browser is not open.
Went to the link above from your mobile(Android), the system infected. Even I do not understand, this crap has upgrade for phones?!
No More Lies wrote:
Went to the link above from your mobile(Android), the system infected. Even I do not understand, this crap has upgrade for phones?!
M-m-m. Then I is a little difficult to judge. Went through everything, my Wi-Fi? If so, then backdoor you knocking through a router. If using Data Connection, the real campaign is sitting on a server of your provider. Said servak MegaFon infected. Your phone most likely won't do anything, it's essentially a loophole, not a virus as such. Your Android will not catch. But for comp I would bother.
In theory, you can attach your Android virus for this Bandoro. But I doubt that anyone will bother.
rambling Went through the usual mobile Internet provider MegaFon.
Hmm, that's strange...
No More Lies
No, the virus doesn't work
only on the Windows operating system
Agree, why would miners (which are collected by the cryptocurrency Botnet) need pathetic phone resources
And WonnaCry also only works on Windows.
By the way, what you just picked up a malicious link
Can just press tab and close all
If that doesn't work, then clean the cookies on your phone browser, or at least DoctorWeb free download on your phone, it will find