The virus (backdoor) DoublePulsar and miner (WINSec.exe/msiexev.exe)
First important information which I found out after a detailed study of the problem. The miner is just a symptom. Gets into a computer through a Backdoor he DOUBLEPULSAR. He DOUBLEPULSAR appeared online 12 April 2017, when a leak occurred in the Network utilities for hacking used by the National Security Agency of the United States. These utilities immediately got his hands on all and Sundry, and by the 15th of April, there were 1,951,075 servers infected with the Backdoor DOUBLEPULSAR. Miner which will be discussed in this thread use this backdoor. But through the backdoor on the computer may appear anything, so I wait for further developments.I have a virus survived the format hard disk, remove hard disk partitions, re-flash the BIOS and the router, format the flash drive with Windows, try to install Windows from another image - all to no avail. Still, 2 weeks later, no one has found the source of the appearance of this backdoor in the computer. So if you have described the theme of the miner, it more than likely appeared a backdoor through which this miner is downloaded.
The decision at the moment, there is only one: urgently to update Windows to the latest updates, and to close the 445 port. Microsoft wrote that in a recent update exploit ETERNALBLUE used in this bedorom, removed. He is knocking on the backdoor via port 445.
And please note - the latest version download miner files marked as system. So to see them, don't forget to enable viewing of system files in Folder options.
Here is a link to one I used in my sources:
http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/
In Russian version there, but all the important info I gave above.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here you can be infected if you do bedorom:
www.binaryedge.io/doublepulsar.html
(thanks to Embrace Futility)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
While it is not known whether this is walking (initially server) system servers Internet service providers, or simply roams the network in search of victims.
----------------------------
Such situation: if I leave the computer for minutes... well, let's say 10, and the load percent (Core i5 3570 @4.2 GHz) up to 90% on all cores. But it is necessary to open Task Manager or Process Explorer and load magically drops to zero (miner prosekaet and stops?).
Comp spontaneously rebooted when I was over there for about 30 minutes. There is no overheating, for sure. Even when the load is under 90% (temperature rises up to 65, but before the actual overheating is very far away).
And just noticed that the open (minimized) Task Manager suddenly spontaneously shut down.
--------------
The bottom line: Yes, I think by all indications it is a very smart-ass miner. But here's the problem - I just yesterday formatos. The problem was that to that after. And I'm neither their software nor their games, not updates for a month. And nothing new was shaking. So how could he take is unclear.
Have any suggestions on catching this miracle?
UPDATE:
Now found that:
C:Windows\Security\WINSec.exe
Eating 70-75% of the Prots. In my life I had ever seen. I will now Google. But I suspect that happiness in it.
UPDATE 2:
VirusTotal scan of the file:
https://www.virustotal.com/en/file/450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f/analysis/1493461158/
PS If anyone can find clear info on this rainbow, I'd appreciate it. And in Google only some vague bits and pieces.
- Rick Sk1mmer wrote:
To reinstall Windows, for example, continue to think a head where to go and why.
What is WannaCry?
Overall WannaCry is an exploit, which is the infection and dissemination, plus the Trojan that downloaded onto the computer after the infection occurred.
This is an important distinction WannaCry from most other encoders. In order to infect your computer using any of, say, a cryptographer, the user has to perform some error — click on a suspicious link, allow to execute a macro in Word, download a questionable attachment from emails. To get WannaCry you can, not doing anything at all.
here is the full heidik from kasperskogo https://blog.kaspersky.ru/wannacry-ransomware/16147 if it is interesting)
GG4 wrote:
Windows do not update, my free Repack, do not buy antivirus software, and then wonder.
In torentte have long been vin10 with the April security updates, and distribution is also updated,by rolling every few months pack things for security systems, as well as activators make it easy to pass the test of legality and updated minus that is incorrect it gets on the system and the system breaks down in the constant rebooting, but the restore point decides) to buy a system that's so boring, Lucca children to buy candy or elderly relatives to give money for the pills) each, in General, he can decide how and where to spend the cache from the salary or Breakfast ;)
rambling wrote:
It is very likely that what is happening now, you seem Paradise in comparison with what else awaits us.
And what could be worse than the cryptographer, who cut the useful documents and to restore the health of compa need to reinstall Windows and restore from the old backups? current virus that will remove protection percent and viduh from overheating and will launch the miner and the computer will explode), but such jokes I have not seen
Evermus wrote:
And what could be worse than the cryptographer, who cut useful documents
Only one. Virus vypilivaya files and documents, but it does not detect itself. Be it sitting, days encrypted, and I will from time to time to connect their backups to update them. And now, after a couple of weeks I have Vyritsa everything - including all backups. So you can lose everything. The window vietamese 4 hours after infection isn't too terrible.
rambling
Hi. Well, if you dig quite deep. Disable all drives (old) and put in a new hard (well, any new, not connected to your system). Windu put disk clean original msdn-vkusy without activation.
PS I Windows updated immediately after removal of the virus, so maybe the body itself still lives somewhere, but I closed the hole in the wind a fresh patch.
PPS I Read a few years ago about viruses that live in the firmware of the hard and available to them at the factory, but thought it was all paranoia and conspiracy of the Zionists if suddenly the dream and they learned to crawl in the firmware then as the French say Jo pa.
Would recommend to rewrite all the useful and valuable to another hard, disconnect it and store in a drawer as a backup (copy of all the pictures I have living separately in the box). What can be poured into the cloud. I have all the photos live on the cloud email.ru, there is nothing to hide, so privacy is not fear.
oscarbin
All that I have made and tested, and the answers to all these questions I already have. All the paint will not, because the necessary information is already in the header and in the subject as a whole. The solution is the same: updates Windows, close the port. If anyone has any specific questions (in your post rather suggestions, not questions) to ask.
In brief:
Embrace the Futility wrote:
on an Internet crawling bots and knocking on ports
It has been confirmed. In addition, this backdoor also sits on many servers around the world, including the servers Internet service providers/mobile Internet.
The March update closes the hole confirmed. Closing the 445 port also closes the hole confirmed. I protest.
Backdoor is not sitting at your computer or in your files. He has absolutely directly. In Windows, the firmware on the drive, nothing. I'm talking about a backdoor through which the crawling viruses, not viruses.
activators for windows,once downloaded the system and activated it activator,you have to understand that you will easily infect even clean the original system,and it is not necessary here to tell saying that I'm downloading the activator-tested,99% of the activators is already a virus
Here's an interesting response found on the website of Microsoft
https://answers.microsoft.com/ru-ru/windows/forum/windows_7-security/%d0%b2%d0%b8%d1%80%d1%83%d1%81-wanna-crypt/579771be-cfb3-43a0-8d8b-c07ceb8710ff
It's rather run these commands to close the hole?
As a temporary measure You can disable the SMB client v1 on your system.
To do this, execute the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20 sys/nsi
sc.exe config mrxsmb10 start= disabled
the commands are executed in the mode with elevated privileges (as administrator)
you must restart the computer after applying commands
If your system was running SMB server, disable SMB v1 see article https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012 how to make.
Cm. also https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
In addition, You can block port 445 inbound SMB connections in the router or in the firewall rules, which will also reduce the risk of penetration of feeder.
So, comrades. I've read and see that some are afraid to update their pirated WIN7. Perhaps they are among those who just reads, but never writes (I'm here, I registered at PG only because of this virusni, because at that time it was the only resource where mentioned secscan.exe). This is a very good reason, because if it was never updated after installation, it is a leaky as a sieve and vulnerable to many different virusni, not just this one. It is necessary to upgrade and be sure. That's the first thing I did after I removed the virus, I may have insufficiently emphasized and highlighted the importance of this, and it eventually helped me to get rid of the problem. Update Windows!!!
Not to flew activation in the upgrade center you need to enter the list of updates and hands hide update KB971033, which it resets. Then boldly put all the updates. Generally, in the light of recent events we can safely recommend all my friends to update all versions, activate always the second time, but to restore a dead old will not work.
rambling
Soran not seen that the cap has been updated. Maybe it's time to create a thread on any forums? sysadmins.ru or ru-board.com for example. And then people still go on the PG for them, and 99% are not infected pass by.
Put these commands in command prompt one by one:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20 sys/nsi
sc.exe config mrxsmb10 start= disabled
- written success.
As you see, this is enough to close the hole?
The update says that the fault is vulnerability in SMB v1 and that they're the type fixed processing of some queries.
But I understand that to shut her fuck is not forbidden.
There are specialists who know specifically is responsible for what this service is and how much it is needed at all the usual juzverej?
At least I no failures and deficiencies in the work after that was found.
I have a 7ka SP1 pirate, respectively updated in the update center is not an option.
10 do not want to put a separate patch can't find anywhere...
So I think this is the most rational way.
kvanch
Need the update can be downloaded from here, should normally be set: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Well, to close the ports, at least 445, as it is written in the header.
dihlofos2009
So what if I completely unplugged it found in smbv1 to it has no what port it is not getting through. The meaning then of these updates, what's valuable in this found in smbv1 to fix it? I have and without it everything seems works fine..
dihlofos2009 wrote:
Need the update can be downloaded from here, should normally be set
Saw this link I wanted to put in a hat, but really do not understand what to click. I've just been really sick to fumble around the page. Could you suggest where to poke, and I'll put in a cap.
Thank you.
kvanch
About disabling SMB is also a good idea to add to the hat. If you can describe the procedure to disable, I also throw in a hat.
rambling
Put these commands in command prompt one by one:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20 sys/nsi
sc.exe config mrxsmb10 start= disabled
For newbies:
click start - run (or press win+R)
enter
cmd
press enter
next at the command prompt for the queue to copy and paste (if not inserted here paste it into Notepad and from there copy) these commands and press enter after each
should see success
You can just insert them directly in the run, but then the window immediately closes, and it is difficult to control the result
PS
just in case here is the team as the back include:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20 sys/nsi
sc.exe config mrxsmb10 start= auto
Director of Europol Rob Wainwright said that a series of cyber-attacks can last Monday morning, reports Reuters.
https://news.mail.ru/society/29735594
rambling wrote:
Saw this link I wanted to put in a hat, but really do not understand what to click. I've just been really sick to fumble around the page. Could you suggest where to poke, and I'll put in a cap.
Well, actually, just choose update Security Only and its OS, such as win7 x64.
Spoiler
In any case, on the next page will be a collection of operating systems, so you can probably directly this link to fix in the header: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012212
Spoiler
Click download for your OS, download and install.
Upgrade for XP for other already unsupported Windows versions also released:
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
A bit of information with the office.blog: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
kvanch wrote:
So what if I completely unplugged it found in smbv1 to it has no what port it is not getting through.
Maybe disabling will be enough without using. Here I do not claim.
rambling
You are fundamentally wrong. Infection climbs directly through the ports. Even though the browser is not open.
Well, how do you think the exploit gets to a machine? When the user is not friends with the head and clicks on everything, obviously. If the user belongs to the caste of those who think the antivirus and similar programs a relic of the past sitting on their шинде10 - all the more surprising.
the virus survived the format hard disk, remove hard disk partitions, re-flash the BIOS and the router, format the flash drive with Windows, try to install Windows from another image - all to no avail
Like any virus, after the disk format must disappear. Well, if you really really want, can annihilate the surface of the disk.
Evermus
Overall WannaCry is an exploit, which is the infection and dissemination, plus the Trojan that downloaded onto the computer after the infection occurred.
Description suitable for the next film
rambling
Backdoor is not sitting at your computer or in your files. He has absolutely directly.
Almost any encryption can be intercepted immediately after the start of their activity, there is a corresponding utility, though many are neglected, and then start complaining. What to ports in fairville easy rule is configured, so that any interconnection pop up an informational message, and the user then decides what to do with it, and thus form the appropriate framework of rules and subsequently no problems.
- Rick Sk1mmer -
Almost any encryption can be intercepted immediately after the start of their activity, and there are appropriate utility.
Tell what use if it is not difficult
kvanch
I use SpyShelter AntiKeylogger. Offhand I also remember Zemana Antilogger, MalwareBytes product, the Casper built-in protection from cryptographers is.