Malware/Ransomware Detection (or,not)

Bismuth

Bismuth

Expert Member
Joined
Jun 22, 2007
Messages
4,152
Reaction score
924
Location
Magnetic North
I recently downloaded a torrent (yeah, naughty pirate, yarr), and the file purporting to be a mkv file, was actually a link that executed the installation of what I presume is malware/ransomware. It loads a file called peckinpah.exe into your memory, as well as into your Startup, so that it loads each time with Windows. I shut the process down, and don't see any perceivable damage so far.

I found the .exe hidden in a folder in ProgramData, and scanned it, but it come away clean according to Malwarebytes. It also installs a system file in another folder (can't remember which now) which I have also removed manually. I did also run a full system scan, with no detection. Note that I am using the free version.

I have the original downloaded file sitting in my recycle bin for now, can send it to you for further analysis if anyone likes?

Have also raised a support ticket with Malwarebytes, as their program missed this malware/ransomware, or whatever it is.

B
 
AFAIK, the reason why ransomware is often not detected by conventional antivirus scanners is that they don't do anything particularly noteworthy from a virus point of view - i.e. they just encrypt files, which is something you'd possible want legitimate software to do. So all the ransomware thugs have to do is recompile stock code into a new .exe and the signature won't be updated for a few days until the AV vendors get hold of it.

Which is why you need an AV that also monitors rapid bulk file system changes and preferably automatically caches the old versions before it kicks in and stops the process.
 
garp said:
AFAIK, the reason why ransomware is often not detected by conventional antivirus scanners is that they don't do anything particularly noteworthy from a virus point of view - i.e. they just encrypt files, which is something you'd possible want legitimate software to do. So all the ransomware thugs have to do is recompile stock code into a new .exe and the signature won't be updated for a few days until the AV vendors get hold of it.

Which is why you need an AV that also monitors rapid bulk file system changes and preferably automatically caches the old versions before it kicks in and stops the process.
Click to expand...

Alrighty, what are your recommendations here, if what I currently have is not sufficient? Paid is fine.

McGuywer said:
Upload file to https://www.virustotal.com/ and see if they have any record of it.
Click to expand...

This is the result when I upload the .mkv file:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

I no longer have the .exe and sys file that was created, as I deleted them 'permanently'. The .mkv links to the 'cmd.exe' file in 'system32', I presume to execute the installation of the payload/files.

I have a Windows 7 Setup in VBox, usually for scambaiting, but I can also use it as a virus testbed here I as well, after cloning the machine. That is, if this would execute in Win7.

B
 
Bismuth said:
Alrighty, what are your recommendations here, if what I currently have is not sufficient? Paid is fine.



This is the result when I upload the .mkv file:

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com

I no longer have the .exe and sys file that was created, as I deleted them 'permanently'. The .mkv links to the 'cmd.exe' file in 'system32', I presume to execute the installation of the payload/files.

I have a Windows 7 Setup in VBox, usually for scambaiting, but I can also use it as a virus testbed here I as well, after cloning the machine. That is, if this would execute in Win7.

B
Click to expand...
blog.trendmicro.com

How Attackers are Using LNK Files to Download Malware

We have seen an increase in attacks that leverage malicious LNK files that use legitimate apps—like PowerShell—to download malware or other malicious files.
blog.trendmicro.com blog.trendmicro.com
Personally using script to remove known bad filetypes from downloads,like .lnk
 
I suppose there is a problem with your system, try using an optimization software. It will delete all unnecessary files and these pop-ups won't appear again. I had the same issue so I know what I am talking about. Personally, I'm using CCleaner because it's functional. If you want to find another cleaner check this article: https://thinkmobiles.com/blog/best-registry-cleaner-tools/ There you can find a lot of variants so you will be able to find something suitable for sure.
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X