Although ID'd as Bamital I have found a system where this guy was moving around, causing an FBI popup. The system may have multiple issue but this was the only one I have been able to narrow down.
*SVCHOST creates the FBI screen (runs as user)
*Can bypass by doing control alt delete -> switch user -> do not kill the instance of the malware, it only runs one at a time.
*creates threads to all SVChost instances and writes to SVCHOST process memory
*Appears to use MSHTML from within Svchost, generates files in IE's temp
*Memory analysis shows plenty of strings to different domains, failure to resolve a domain name via DNS also shows up.
*No MBR modifications\Drivers appear to be running
*~60kb larger than clean version of this file
Detection ratio 5 / 45 - so far nothing will remove it, I'll replace it manually and observe results.
*SVCHOST creates the FBI screen (runs as user)
*Can bypass by doing control alt delete -> switch user -> do not kill the instance of the malware, it only runs one at a time.
*creates threads to all SVChost instances and writes to SVCHOST process memory
*Appears to use MSHTML from within Svchost, generates files in IE's temp
*Memory analysis shows plenty of strings to different domains, failure to resolve a domain name via DNS also shows up.
*No MBR modifications\Drivers appear to be running
*~60kb larger than clean version of this file
Detection ratio 5 / 45 - so far nothing will remove it, I'll replace it manually and observe results.
Attachments
infected
(447.98 KiB) Downloaded 77 times
(447.98 KiB) Downloaded 77 times