This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

powershell virus

Dear All,

Virus detect by Symantec that use powershell and spend almost 100% CPU. Nothing detect by Sophos.

I am stop process of powershell and it will back again later.

Anything I can do to clean this virus?

 

Thanks a lot!

 

Chuck

 

 



This thread was automatically locked due to age.
Parents
  • Hi ,

    Powershell related threats are being detected by Sophos as  HPmal/WMIPOW-A, HPmal/HPWMIJS-A, HPmal/mPShl32-A & HPmal/mPShl64-A

    As  mentioned Using Process Explorer, identify which exe is spawning Powershell.exe to see if we are dealing with any new variant of the known/ Unknown threats. You can contact our support for assistance in this regards so that if it is found to be a new variant, we will be able to have the definitions in place.

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hi Gowtham,

     

    I have contacted the support for help on this, but support ask me to upload the copy of file to analysis. I confuse what is the file should I upload. So I reply "i have no sample file to upload"

    I use SEC and Virus Removal Tool scan the system but nothing detected. Maybe this is new variant of threats?

    What should I provide to confirm the threat? This is the first time to do this thing, So I need your support.

     

    Thanks again!

     

    Chuck

  • Hello Chuck,

    your original post shows Symantec Protection Detection Results, correct? As you say I use SEC - are both products on the machines in question (if so, how did you do this)? Are you using Symantec (which product exactly) as second opinion scanner or do both real-time/on-access scanning?

    what should I provide
    the screenshot suggests that Symantec has cleaned the "subordinate" threats (apparently not the one that abuses PowerShell - there's likely a hijacked process, perhaps svchost.exe, involved) by deleting them. Thus, naturally, there's no sample to submit. You can likely configure the Symantec scanner so that it doesn't attempt a cleanup/deletion. Dunno if it would then leave the file alone or quarantine it by encrypting it. If the latter if you turn it off (or don't use it) and this should leave the xxxxxxx.0.cs files in the %Temp% directory.

    Christian

  • Hi Christian,

    We have replace Symantec by SEC, but only one Symantec protection can not remove. I try several times and several ways to remove and it did not say goodbye to me. I have not ideas about this one. And it report the virus this time.

    I set a software Restriction Policy in group policy to prevent powershell.exe start, so all computer working good so far.

    I try to find sample file in computer with SES, but I can not find the *.cs and *.dll file. I release some computers from the OU with Software Restriction Policy to see if *.cs and *.dll appear.

     

    Below is the information I can provide so far.

     

    1. this is the same virus detect by McAfee (screenshot from other company), just FYI.

     

    2. The virus contact 20 more IP address (remote port is 80, 14444) and IP address as below,

    195.22.127.93
    195.22.129.157
    93.174.93.73
    79.137.82.5
    213.32.29.143
    5.196.13.29
    198.251.88.21
    51.255.34.118
    5.196.23.240
    151.80.144.253
    164.132.109.110
    92.222.180.119
    217.182.169.148
    51.15.54.102
    78.46.91.134
    172.104.165.191
    139.99.102.71
    103.3.62.64
    139.99.102.72
    139.99.102.73
    139.99.102.74
    139.99.102.70
    46.105.103.169
    37.59.56.102
    45.32.71.82
    139.99.101.198
    139.99.101.197
    149.202.42.174

     

    So, Thanks for your help. I will keep update.

    Best regards,

    Chuck

     

     

  • Hello Chuck,

    I release some computers
    yes, you have to "sacrifice" one. It's not clear what the Trojan is up to but a number of these addresses is not absolutely clean according to VirusTotal.

    Many vendors use their own nomenclature, there's no general mapping of names so unfortunately another vendor's detection doesn't help much. And naturally it's impossible to say why some, apart from the fact another vendor detects it as somethreat, unknown thing is not detected.
    Do you have Malicious Traffic Detection enabled in the AV policy?

    Christian

  • Hi ChuckYu,

    Support would be interested in analyzing the file that could be causing the High CPU usage in the clients. I have left a note to the Support engineer to extend his assistance in finding the suspicious file/script could be using PowerShell. We can use windows Sysinternals tools to find it. For a start, I would suggest you check the Scheduled task for any unknown/ suspicious task.

    Process Monitor can also help you in capturing the events details. 

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Reply
  • Hi ChuckYu,

    Support would be interested in analyzing the file that could be causing the High CPU usage in the clients. I have left a note to the Support engineer to extend his assistance in finding the suspicious file/script could be using PowerShell. We can use windows Sysinternals tools to find it. For a start, I would suggest you check the Scheduled task for any unknown/ suspicious task.

    Process Monitor can also help you in capturing the events details. 

    Regards,

    Gowtham Mani
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Children
  • Hi Gowtham,

     

    Sorry for reply late, I still cannot get the sample of virus these days.

    I use the Process Monitor to capture log of powershell but I cannot understood the file.

    Maybe this log file can help on this case.

     

    Thanks a lot!

    Chuckpowershell.zip

  • Hello Chuck,

    you've filtered for just the Powershell process, haven't you? As far as I can see it receives about 250 bytes over the HTTP connection to  ns320600.ip-37-187-154.eu but it does neither write to a file nor set a registry key/value. You say there are now no .cs files to be found in C:\Windows\Temp\?

    As the process runs as SYSTEM it's likely started a boot up - Autoruns should help to find how it's started and what is involved, likely a file that lurks somewhere.

    Christian