WinXPert Reload: May 2019

Tuesday, May 28, 2019

Malware Removal 101: Ramnit

This is a manual malware removal instruction for this specific strain of ramnit.

Virustotal

What it does:

Creates four shortcuts at the root directory of your external drive. Make multiple copies of the malware at the RECYCLER folder

Creates a file at the Startup folder. Starts with Windows.

Manual Removal

This strain of ramnit launches itself via the default browser

1. Terminate the browser's running process using System Explorer

2. Go to the Autoruns tab and delete the startup entry

3. Delete the ramnit shortcuts as well as the RECYCLER folder.

4. Perform a full scan using an updated antivirus

Wednesday, May 8, 2019

Malware Removal 101: Worm (Files.bat)

I got this sample a few days ago from a customer's USB drive:

Virustotal

User's files and folders are replaced with shortcuts. Files are hidden and moved to Files folder.

Manual Removal

Using System Explorer, terminate the running malware process. If you have multiple running instances of the worm, select the parent process and End Process Tree instead.

Locate the files using CCleaner. Select Start.lnk | Right click and click on File Directory Explore.

Delete all files including the parent folder.

Using Explorer, delete at shortcut in your USB drive.

Unhiding the files. You can use Attrib or Explorer.

Attrib

Launch CMD and type the following:

CD drive:

ATTRIB -S -H /S /D

Replace drive: with the corresponding drive assignment of your USB drive. Ex. F:

Explorer

At Folder Options enable Show hidden files, folders and drives

Navigate to Files folder

Move all files and folders to your root directory

Select all hidden folders and unhide using Properties

Delete Files folder

Back at System Explorer delete Start.lnk

Note: If you have multiple instances of the malware running in memory, do not use TaskMan to terminate its process because there is a chance that your PC would reboot. Use System Explorer instead. Suspend all processes first then end them one by one.

POST: Scan your system and USB drives with an updated Antivirus.

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2019 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

To GOD be the glory!

Sunday, May 5, 2019

Malware Removal 101: Facebook Worm

I think you are familiar with this post.

Virustotal

Your PC would only be affected if you do the following:

You clicked and downloaded the file. (The sample I got is video_68080.bz. Note that filename may vary)
You extracted or clicked on the archive and launch the file (play_29732727.mp4.com)

Correction: It's a .com file.

Running the worm creates the following files.

Starts with Windows via registry entry.

What it does is post Wow videos post in different Facebook groups without the user's knowledge.

Other changes in the registry:

Keys added:

HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations
HKU\S-1-5-21-628660338-905938160-2927024020-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKU\S-1-5-21-628660338-905938160-2927024020-1000\Software\Unzip

Values added:

HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes: ".exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ggle Updater: "C:\Users\Arnel\AppData\Roaming\Arnel\app.exe"

Files added:

C:\Users\Arnel\AppData\Roaming\Arnel\7za.exe
C:\Users\Arnel\AppData\Roaming\Arnel\app.exe
C:\Users\Arnel\AppData\Roaming\Arnel\background.js
C:\Users\Arnel\AppData\Roaming\Arnel\config.json
C:\Users\Arnel\AppData\Roaming\Arnel\files.7z
C:\Users\Arnel\AppData\Roaming\Arnel\manifest.json
C:\Users\Arnel\AppData\Roaming\Arnel\update-x64.exe
C:\Users\Arnel\AppData\Roaming\Arnel\update-x86.exe

Folders added:

C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2LXBY3LA
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2YQU29T2
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5KFJB9OR
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZL3SUC12
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\Arnel\AppData\Local\Temp\Low
C:\Users\Arnel\AppData\Roaming\Arnel

Note: I got this error message because I don't have chrome on my PC. Plus I have to turn off my antivirus because the worm is detected by McAfee Internet Security and never got pass the extraction stage.

Removal Instructions:

Terminating the running process:

Note: Since I am testing this malware, I'll be terminating the file I've run. Terminate app.exe instead since it's the file that starts with Windows..

Let's use CCleaner to remove the worm.

Launch CCleaner
Goto Tools | Startup
Highlight Ggle Update
Right Click and Select Open Containing Folder
Still on CCleaner, click on Delete button on the right

At Explorer, select all files and delete.

Restart your computer.

On boot scan with an updated antivirus.

POST: Clean your temps

I'll try to run this file on Windows 10 and report the changes it made on this OS.

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

Copyright © 2019 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

To GOD be the glory!

Saturday, May 4, 2019

Malware Removal 101: Rotinom

Problem: Drive C is running out of disk space every time you insert an external HDD or a USB drive? Chances are you are infected with Rotinom.

Virustotal

What it does to your computer:

Starts with windows

Makes a copy of all files from USB drive to Rotinom folder on Drive C: thus reducing its free space.

Infects USB or external drives. Hides all folders and replaces them with shortcuts.

Notice the difference in the icons.

Changes in the registry:

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Name: Startup
Value: C:\Users\admin\AppData\Local\Start

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Name: Startup
Value: C:\Users\admin\AppData\Local\Start

Manual Removal Instruction:

Since TaskMan is not disabled, we can use it to terminate update.exe.

Navigate to "%LocalAppData%\Start" and delete update.exe

Search for Rotinom folder. Easiest way to do that is search using Everything.

Delete the folder. Also delete its parent folder. Empty you Recycle Bin

Cleaning USB and external drives:

Delete all files associated with Rotinom. All *.exe files with folder icon and also the Usb 2.0 Driver folder.

POST:

Scan with an updated Antivirus/Antimalware.

Unhide files and folders at the CMD prompt.

ATTRIB -S -H /S /D

Repair the registry. Replace the value indicated in blue.

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Name: Startup
Value: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Name: Startup
Value: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

Portable Antivirus: Avira PC Cleaner

On yesterdays post I mentioned about Avira PC Cleaner. Here is a guide for those not familiar with this program.

Download the program

Launch avira_pc_cleaner_en.exe

After finishing the download, you'll be greeted with this screen. You the option of scanning or copying to a USB Device

Scanning

Copying to USB Device

Now that you have a copy in your USB drive, all you need to do is run Cleaner-launcher.exe located at the root directory of your USB drive. It will update before first before you can scan. I regularly update this program just in case I use it in a PC without internet connection due to malware.

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

Thursday, May 2, 2019

Malware Removal 101

It's been a long time since my last post so here goes.

Here are the lists of techniques you can do to remove malwares. Some of these are easy no brainer, to moderately difficult to extremely hard (for the average Joe, and some technicians included).

Here are the easiest solution though you need some preparations for these to work like downloading the iso and burning or making a bootable USB drive.

Using a Bootable CD/DVD/USB of any AntiVirus. Advisable to update the antivirus signatures before scanning. Here are a few examples:

Booting on a Live Windows environment and running an updated Portable AV like Avira PC Cleaner or Emsisoft Emenrgency Kit

Performing a scheduled Boot Scan (Ex. Avast!)

Booting in Safe Mode with Networking and running MBAM Chameleon

I'll add Hiren's Boot CD. Unless you have the latest version of an antivirus with the option of updating the AV signatures, you might miss a zero-day malware or newer strains by scanning with an outdated AV. (Note: I use HBCD ver. 10 so I never use it for scanning)

Scanning the infected HDD as a slave on a clean system with updated antivirus

This one requires that you know where to look for malwares

Booting with Live Windows CD/DVD or any Linux distro and manually deleting the malware that starts with Windows. With Windows, I'd start with the registry (research offline registry editing) and work my way in reverse. If you don't know your way around the registry, you can use programs like Autoruns. For Linux, I'll look for the usual places where a malware may reside. Temp folder is a good place to start.

There are times when malware will not let you boot in Safe Mode, in cases that you can, you can try the following:

Boot in Safe Mode with Networking so you can update your antivirus prior to scanning.

Last is removing the malware while it is active in memory in Normal Mode. The steps are simple.

Search and Destroy

Search - Using Tasklist, TaskMan or any similar program to look for suspicious running processes. Or other suspicious programs that starts with Windows

Mostly these are processes with gibberish filename (Ex. sfhkewj.exe)
Something that looks like a legit Windows file but in the wrong place (Ex. C:\Windows\System\csrss.exe)
Shortcuts, *.pif or *.vbs/vbe in Startup folder
Other programs that starts from AppData or Temp folders

Destroy - Terminating the running malware processes using TaskMan or similar app and deleting the malware plus other drop files.

Another way to look for malware file location is to look at the registry. Here are some of the key locations:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Using enumerators or AV tools to look for malware. You base your search on the report logs

OTL
RunScanner - Some say this is obsolete but I still use it and still works for me
Farbar Recovery Scan Tool (FRST)
HiJackThis Fork - Still works for low to medium risk malware
Spyderman - A short script I wrote to look for Brontok worm

After you terminated the malware from running, it's time to do a scan using an updated antivirus/antimalware

Scan also all external/USB drives. Unhide all folders and files in case you were infected with a shortcut worm like Ramnit.

Note: For other high risks malware/worm (Ex. sality, virut) always use a dedicated removal tool.

Other tools for malware removal worth mentioning that I still use:

File Assassin - Use this to delete stubborn malware
Unlocker - Same function as File Assassin
Blitzblank - My Go tool when File Assassin or Unlocker failed to delete malware. Must have prior knowledge of files and registry items to delete.

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.