Yesterday at work many of the computers and servers started getting infected with some exe files that also seem to be creating registry keys.
The exe is created on the root of the c drive and then the exe attempts to execute. Luckily, Defense+ prompts me that an unrecognized application is trying to execute and I can block it, however, in some cases I still had a registry key added.
Here are the files I’ve gotten specifically:
chrpeas.exe (also created registry key)
utgjijma.exe (also created registry key)
If I scan the exe files with Comodo it doesn’t detect any threat; but HouseCall is coming back with bkdr_qakbot.kji and tspy_zbot.smku.
I have deleted the exe and registry keys as soon as I discovered them, but more have been appearing. Since I know some of the servers have been compromised, I am currently disconnected from our domain and so far I have not received any more indication of issues.
Since even machines not in active use are being infected, I suspect that the group policy is pushing these files onto our machines; however, not all users are being affected.
If this is coming from the group policy, then there’s not much I can do to stop this; if it’s on my machine, does anyone have any ideas on how to get rid of this problem?
Can you please follow the advice I give in How to Know If Your Computer Is Infected and let me know what you find?
Especially important here, or at least I would think, would be what files are not shown as safe under KillSwitch.
Also, if you could PM me samples of whatever files you believe to be malicious I can check them out.
I haven’t had a chance to follow the instructions you sent, however, these files are being identified as malicious by AVG and McAfee on coworker’s machines.
I uploaded the most recent file to VT and here is the result: VirusTotal
This particular file got less hits than some of the other files (some that were tested were showing 11 antivirus identifications, but I don’t have the links as they were done by co-workers).
I’m not sure how to send you a sample of the files in a PM.
You can upload them to a file sharing site and send me a link to the download through PM.
Our operations team tracked down a rootkit virus on our servers and have shut them off until they can be cleaned. I don’t have any of the exes that were placed on my machine by the servers to send to you. Though I did scan these exes with Comodo and it did not detect the virus, though other anti-virus/anti-malware software did.
Luckily the Comodo firewall blocked the exes from executing which at least protected me from having my computer compromised.
That’s one of the great strengths of CIS. Even if the antivirus doesn’t detect it you should still be safe.
Ok, looks like the rootkit got back onto one of our servers, I just got two new files in the last half an hour. Neither of these two are picked up by Comodo or Malwarebytes… Yay for Defense+
Thanks for sending me the files. Here’s the VirusTotal report (note that both files had an identical hash):
Looks like it could be ransomware. Make sure everything non-essential is backed up. Also, I would recommend protecting any other computers with CIS configured as I suggest in my guide. Note that the default settings will not protect against all forms of ransomware, but my configuration will.
If you get any more files please send them to me.
If you do need help cleaning an active infection from a computer I’ve also written a guide about How to Clean An Infected Computer.
Please let me know if you have any more questions.
Thanks, as far as I can tell, the files that are getting onto my machine have not been able to execute or get into my system; unfortunately, the IT policy at work is to use McAfee and I doubt they will install Comodo… Right now they are using a combination of McAfee and Microsoft Security Essentials to try and fix the problem and prevent spreading; I’ll continue monitoring computers I have access to for any more instances of virus problems.
Unfortunately, they will be pushing McAfee to all machines so I will have to make sure I can continue to run Comodo in parallel.