Jump to: [] – [] – []
As of this April 2015, a new malware has emerged, using old tricks in the book. Most antivirus are having trouble spotting it so far. The main process that can be spotted via a quick check in your computer “Task Manager”. See if your [CPU] is running at 98%, or so. Sort the processes by CPU% and check if this entry is running. ***Read all updated info and comments, as this virus seems to morph every few months, but one important fix has, so far prevented most re-infection, changing the default external RDP port.***
How does it work
Part 1 – The malware uses infected computers to its way through poorly secured RDP enabled computers. Once a computer infected, it runs through a list of defined public IP addresses, requesting an RDP session. Once a computer respond, it then proceeds to try guessing the password for a commonly active (and powerful) user A.K.A. default “Administrator“. (For computers and servers on a domain, it seems to get through via the “local” administrator and bypassing the Domain security already set)
***[UPDATE – the malware also has 2x lists of common usernames if the Administrator user fails. & ]
The malware is equipped with a pre-defined , as well as, running a basic random password trial an error script (that could take forever to crack, except when you have multiple computers infected and working at it). Once the password for the Administrator user as been found. Even if a Terminal Server is on a domain, the malware will attempt to go through the “local” Administrator, which can be access using [ \\Administrator ] (the equivalent of PC-NAME\Administrator)
Part 2 – The malware download its install files in [C:\Windows\download] in a .CAB format. The malware then proceed to work on its list of public IP addresses to test, as well as, start a Rogue Bitcoin mining process called [mng_minerd.exe]. [UPDATE: it also creates 2x local Administrators [Updater & ntsec_admin]
Part 3 – If at any time the process is killed and the file deleted, the malware will regenerate itself on the next reboot, or at a “scheduled” time.
How to remove it for good ()
The removal process is pretty straight forward for an experience IT technician, but caution is advised. Contact a professional if you are not familiar with some of the tools or steps describe below.
1- First of all, disabled RDP connection on the computer OR change RDP port setting in your router (and RDP listening port in the computer, if the router lack functionality to “Port Forward” a specific external port to specific internal port)
2- Create a Restore Point (just good habit)
3- In “Task Manager” – kill 2x processes -> mng_minerd.exe AND command.exe
4- Delete the following folder and files: C:\windows\updater.cmd C:\windows\download\*.* C:\windows\mng\*.* C:\windows\victoria\*.* [UPDATE]—->Variant of the malware may include these folders: C:\windows\xmr\*.* C:\windows\ric\*.* C:\windows\ming\*.* C:\windows\tanechka\*.* C:\windows\claymore\*.* C:\Windows\SysWOW64\tmp88.cmd C:\Windows\SysWOW64\SubDir\client.exe
5- Using [Autoruns] from Systernals tools: “uncheck” then delete the entry for “updater.cmd” in the [Scheduled Task] tab 6 – Run (use the “clean” option offered by the Eset tool, reboot computer and check for any files and folders left over to delete)
7(plan A)- Remove the 2x Administrator users via the Control Panel / Active Directory: UPDATER & NTSEC_ADMIN (IMPORTANT, read plan B if malware regenerate after a couple cleaning attempts)
7(plan B)- [UPDATED FIX]…so far The step described above seem to work for the [mng_minerd] version of the malware when caught and cleaned early on. But in some cases, a more aggressive version of the malware seem to regenerate around 11am the next day. One of the common clue, is the mining process in [Task Manager] is named [ric_minerd.exe] or [xmr minerd]
7.1=>Once the basic clean is done but before restarting the computer…
7.2=>Via [Task Manager], insure that all users are logged off and no active process are running via one of the rogue Admin accounts (updater & ntsec_admin)
7.3=>Open the Active Directory and reset the password on the two rogue admin accounts
7.4=>Then, disable RDP rights on each rogue account (double click on user, one of the TAB has the option to be checked off) – also disable RDP rights on any legitimate user that are not for RDP purpose. Ex: copier, fax, etc (any user that may have a function within the network but does not require RDP privileges)
7.5=>Finally, disable the two rogue admin accounts (updater & ntsec_admin), BUT do not remove/delete them! The reason being that the malware tries to regenerate itself using the same name. Leaving the disabled account in place, Windows will not allow to recreate users with the same name, nor can the malware “re-enable” those accounts.
8 – [UPDATE Feb/26/2016] – Some infected computers may have a malware dropper file, as well, named [scclient.exe] in [Windows\System32] folder. (Thanks to Anthony Quaresima that pointed that out in the comments below) In most cases, it is possible to rename the file to something like SSCLIENT_EXE.BAK and move to it a “quarantine” folder of your choice, as a backup. (A variant has shown this files instead-> C:\Windows\SysWOW64\SubDir\client.exe )
We’ve had some issue on one computer, where the file was being used and/or tied in Microsoft Exchange services. (After a restart, we were able to rename and move the file, but further testing will be needed to insure Microsoft Exchange is not affected afterward. Thread CAREFULLY is this specific situation. Verified that you have a solid backup image of your server at that point.)
**Run an SFC /SCANNOW at this point to repair any Windows corruptions.
If anything is missed or overlooked, the malware will most likely resurface around 11am the next day. After 48 hours without any odd process in Task Manager, rogue folder nor files being downloaded, the fix has most likely worked. It would be advisable to review the machine again 2 weeks later, for good measure .
The fix is not perfect yet, for the affected computers (until most Antivirus can see it and clean it automatically), but with the , that hopefully have been implemented, it would be less likely that the same malware would find its way back in, even using a different name or alias.
Alternate removal technique (Thanks to Mick Fagre from TClarkConsulting.com) **can be modified to suit the variant your are dealing with**
Batch file to clean infection folders (C:\Windows\Updater.CMD)
**Still having problems with the virus coming back? shoot me an email at: seb@expressnewmedia.com and I may be able to assist via phone and remote desktop assistance.
How to prevent future attacks of this type
Now some basic steps will help prevent any further attacks of this type.
1- As described in the clean up process, the router (and possibly the computer) RDP port settings should be changed to something different from the “default” port 3389. If you router cannot specifically forward an external port to the internal one in the computer, a registry edit can facilitate the changes. Example: Set the router to Port Forward RDP to computer IP 192.168.1.10:22445 and through RegEdit change the RDP listening port to the same “22445”
2- ***[UPDATED] Create a new Administrator user account via “Control Panel” on home computers. For a server in a Domain environment, make a “Copy” of the current Administrator user in your Active Directory, and use an less common format. Example : company.admin . At last, disable the original default “Administrator” user in the Active Directory (***Caution, disabling the original Domain Administrator user, may break some permission, services and/or settings managed by this user, only proceed if you are very familiar with your Domain/Organization setup)
***ALSO check for any user/username that have RDP privileges, as the malware will attempt to use alternatives from . Any username listed above should be renamed to something more complex ( ex: username.lastname ) Also consider any user in the Active Directory with a function within the network, but does not require RDP privileges. EX: copier, fax, email only users, etc.
***DOMAIN CONTROLLER and TERMINAL SERVER additional notes: In the case of servers, often the computer “local” Administrator user can be overlooked once the Domain Administrator takes over. IF the RDP Policies are not set correctly, the “local” administrator can still be exploited if it had a weak password at the initial setup and/or if it is left active after the Domain Administrator is set in place. To access this user, just use the RDP IP address and enter username like this: [ \\Administrator ] (which is the equivalent of [PC-NAME\Administrator] ), effectively skipping the Domain security check.
All being said, RDP enabled computers even on Domains will need their “local” computer user checked, disabled or renamed, and strong password protected to insure a more complete protection against these type of attacks.
3- As a final step, insure that your new Administrator user has a strong password, at least 12 characters, using Caps, lowercase, numbers and special character. Also check the link above with the stay away from any of those.
That is all for now, I hope this will be helpful to some of you out there. I had a hard time finding anything useful pertaining to this particular malware, prompting me to write this article. Any questions or tweaks suggestion can be submitted via our website .