powershell virus

Hi ,

Powershell related threats are being detected by Sophos as  HPmal/WMIPOW-A, HPmal/HPWMIJS-A, HPmal/mPShl32-A & HPmal/mPShl64-A

As jak mentioned Using Process Explorer, identify which exe is spawning Powershell.exe to see if we are dealing with any new variant of the known/ Unknown threats. You can contact our support for assistance in this regards so that if it is found to be a new variant, we will be able to have the definitions in place.

Hi Gowtham,

I have contacted the support for help on this, but support ask me to upload the copy of file to analysis. I confuse what is the file should I upload. So I reply "i have no sample file to upload"

I use SEC and Virus Removal Tool scan the system but nothing detected. Maybe this is new variant of threats？

What should I provide to confirm the threat? This is the first time to do this thing, So I need your support.

Thanks again!

Chuck

Hello Chuck,

your original post shows Symantec Protection Detection Results, correct? As you say I use SEC - are both products on the machines in question (if so, how did you do this)? Are you using Symantec (which product exactly) as second opinion scanner or do both real-time/on-access scanning?

what should I provide
the screenshot suggests that Symantec has cleaned the "subordinate" threats (apparently not the one that abuses PowerShell - there's likely a hijacked process, perhaps svchost.exe, involved) by deleting them. Thus, naturally, there's no sample to submit. You can likely configure the Symantec scanner so that it doesn't attempt a cleanup/deletion. Dunno if it would then leave the file alone or quarantine it by encrypting it. If the latter if you turn it off (or don't use it) and this should leave the xxxxxxx.0.cs files in the %Temp% directory.

Christian

Hi Christian,

We have replace Symantec by SEC, but only one Symantec protection can not remove. I try several times and several ways to remove and it did not say goodbye to me. I have not ideas about this one. And it report the virus this time.

I set a software Restriction Policy in group policy to prevent powershell.exe start, so all computer working good so far.

I try to find sample file in computer with SES, but I can not find the *.cs and *.dll file. I release some computers from the OU with Software Restriction Policy to see if *.cs and *.dll appear.

Below is the information I can provide so far.

1. this is the same virus detect by McAfee (screenshot from other company), just FYI.

2. The virus contact 20 more IP address (remote port is 80, 14444) and IP address as below,

195.22.127.93
195.22.129.157
93.174.93.73
79.137.82.5
213.32.29.143
5.196.13.29
198.251.88.21
51.255.34.118
5.196.23.240
151.80.144.253
164.132.109.110
92.222.180.119
217.182.169.148
51.15.54.102
78.46.91.134
172.104.165.191
139.99.102.71
103.3.62.64
139.99.102.72
139.99.102.73
139.99.102.74
139.99.102.70
46.105.103.169
37.59.56.102
45.32.71.82
139.99.101.198
139.99.101.197
149.202.42.174

So, Thanks for your help. I will keep update.

Best regards,

Chuck

Hello Chuck,

I release some computers
yes, you have to "sacrifice" one. It's not clear what the Trojan is up to but a number of these addresses is not absolutely clean according to VirusTotal.

Many vendors use their own nomenclature, there's no general mapping of names so unfortunately another vendor's detection doesn't help much. And naturally it's impossible to say why some, apart from the fact another vendor detects it as somethreat, unknown thing is not detected.
Do you have Malicious Traffic Detection enabled in the AV policy?

Christian

Hi ChuckYu,

Support would be interested in analyzing the file that could be causing the High CPU usage in the clients. I have left a note to the Support engineer to extend his assistance in finding the suspicious file/script could be using PowerShell. We can use windows Sysinternals tools to find it. For a start, I would suggest you check the Scheduled task for any unknown/ suspicious task.

Process Monitor can also help you in capturing the events details. 

Hi Gowtham,

Sorry for reply late, I still cannot get the sample of virus these days.

I use the Process Monitor to capture log of powershell but I cannot understood the file.

Maybe this log file can help on this case.

Thanks a lot!

Chuckpowershell.zip

Hello Chuck,

you've filtered for just the Powershell process, haven't you? As far as I can see it receives about 250 bytes over the HTTP connection to  ns320600.ip-37-187-154.eu but it does neither write to a file nor set a registry key/value. You say there are now no .cs files to be found in C:\Windows\Temp\?

As the process runs as SYSTEM it's likely started a boot up - Autoruns should help to find how it's started and what is involved, likely a file that lurks somewhere.

Christian

Hello Chuck,

you've filtered for just the Powershell process, haven't you? As far as I can see it receives about 250 bytes over the HTTP connection to  ns320600.ip-37-187-154.eu but it does neither write to a file nor set a registry key/value. You say there are now no .cs files to be found in C:\Windows\Temp\?

As the process runs as SYSTEM it's likely started a boot up - Autoruns should help to find how it's started and what is involved, likely a file that lurks somewhere.

Christian