Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 9161 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NetworkDistribution Virus or ShadowBroker Issue

Mohammad Shahjahan

NetworkDistribution Virus has effected our network in location of "C:\Windows\NetworkDistribution\". The fact is sophos endpoint can clean those virus in given location. But after restart computer it show's again. When we re-setup computer and deploy sophos end point it solves the problem. But We have almost 1000 computers are still affected by that virus.
I think it was attacked by shadowbroker (https://github.com/misterch0c/shadowbroker).

Do you have any solution to recover that solution. I have tried (https://www.trendmicro.ae/vinfo/nz/threat-encyclopedia/malware/trojan.win32.vools.ag) that one but i failed.

Please we need your help.



This thread was automatically locked due to age.
  • 0

    Hello Mohammad Shahjahan,

    How to Remove Malware would probably be the better forum ( might monitor Malware but not this one). 

    sophos endpoint can clean those virus
    so you have at least one detection - what's its name? Did it automatically clean up or did you request the cleanup with either the console or the local Quarantine Manager? Did you also run an on-demand scan (Full system scan... from the console, a scheduled scan, ...)? Please note that catchy names aren't necessarily a useful description of the actual incident, so please as many details as possible.

    almost 1000 computers are still affected
    Looking at Trend Micro's description: dropped by other malware or as a file downloaded unknowingly. Not very likely (but not improbable) that almost 1000 users visit the same compromised site, it seems that it has spread on your network (and might still do so). How many endpoints do you have in total?
    after restart computer it show's again
    There might be an undetected component, another endpoint might re-infect it, or the computer might access some compromised location.
    any solution
    As said, just a catchy name rarely describes the nature and extent of the infection. Often you face not a single application but a framework that can use different components and mechanisms and serves various "purposes". If yet undetected components are involved there's no out-of-the-box solution. So you have to assess what is going on.

    re-setup [...] solves the problem
    so, once reimaged an endpoint is not reinfected? This would indicate there's no (longer a) component that actively spreads. That'd be a start. AutoRuns might help to find the persistent piece(s). Can't tell what you might find, if you do find something submit a sample.

    Christian     

  • 0

    Hello...

    I have the same problem. Has you any solution ?

    Thank you.

  • 0

    Hi Mohammad, 

    I'm pretty sure your network is infected with a Coin Miner which is spreading using the EternalBlue exploit. 

    Patch - https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

    You should isolate systems and start installing the latest Microsoft Security patches on the machines. Followed by full system scans to ensure the malware is removed from the machines.

    You could use SVRT or SBAV to clean systems before moving them back to the network - https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

    Thanks,

    Vikas

Unfiltered HTML