Possible virus exe, but no history in MSE

[antef]

Hello,

I ran a potentially malicious exe and the file just deleted itself and nothing else happened. MSE reported the file clean before running it and there is nothing in MSE's history or quarantine. If the file was malicious I'd like to think that MSE just silently killed it but I'm not sure that could happen without there being history, so my concern is the exe deleted itself.

Would MSE ever kill something without a record of it? Should I just do a full MSE scan to be sure? Thanks.

 

[mechBgon]

MSE would alert you if it had taken action. The fact that it didn't, means it doesn't recognize malware in the file, but it doesn't mean the file is clean. The detection rate of "fresh" malware isn't very high. In my experience, generally below 50% detection rate by any given antivirus for a sample I just harvested.

If you happen to have a version of Windows that has Shadow Copy, like Win7 Professional or Ultimate, you might be able to restore the vanished file if you'd had it for a while, then upload it to VirusTotal.com to see if any of the 40+ antiviruses recognize it. To use Shadow Copy, use Windows Explorer (not Libraries) to view the folder where the file was. Right-click in the window and choose Properties, then go to the Previous Versions tab and see if the file's listed there.

The self-deletion behavior would certainly raise massive red flags. At this point, I'd make bootable Avira and Kaspersky rescue discs, boot the system from them, and run exhaustive offline scans as a starting point.

 

[antef]

Thank you for the help. I suspected what you said as well. I did a full (online) system scan with MSE quickly earlier and it didn't find anything.

I was able to recover the file. It was 38 MB so too big to upload to VirusTotal, so I tried to compress it with WinRAR. It compressed to 107 KB. This is also a red flag...the original exe was probably padded to look legit but had small actual contents. I uploaded that small RAR to VirusTotal and it came back with 0 detections.

At this point I am very worried. My system is behaving normally. I don't have an optical drive in this system - are the rescue discs necessary? Or can I just scan in safe mode? Is there a freely available scanner you recommend instead of using MSE?

 

[mechBgon]

The idea behind the bootable scanning disc is that malware can't be actively fighting back to hide itself. You could make a flash drive into a bootable Kaspersky disc, here's how: http://support.kaspersky.com/faq/?qid=208286083

Alternately, you could start with the Kaspersky virus-removal tool: http://support.kaspersky.com/viruses/avptool2011?level=2

In either case, you might as well max out the options:

And check the "scope" of the scan to make sure it's looking at everything: drives, memory, etc.

If it's any comfort, I've seen malware samples self-delete without doing anything else, such as when run in a virtual machine where they suspect you're investigating what their malware is designed to do. But I've also seen time-bomb malware that will lie dormant... turn the system's clock forward a day, and BLAMO.

 

[antef]

Thank you mechBgon for the quick reply - you have always been a reliable source here for security questions. As a precaution I went to another computer and changed the couple passwords that I used tonight on the machine, just in case it was being keylogged, and I took the computer offline. Tomorrow I will try to make the bootable Kaspersky drive and do a scan. If it finds nothing, should I leave it at that? Or be totally paranoid and format my system anyway?

 

[mechBgon]

Hmmm, well if it were me, I'd lean towards a secure erase of the SSD and reinstallation of everything from scratch, because I'd rather do that than have nagging doubts and uncertainty. But that's easy for me to say, I don't have a ton of software to reinstall and reconfigure... Office, some games, a video editor, photo editor.

I guess just weigh your worst-case scenario. If you have valuable stuff at risk, whether it's your PayPal/Ebay/bank/CC or your WoW account, that's different from the bad guys getting hold of your vacation photos.

 

[antef]

Thanks...I will scan with Kaspersky just because I'm curious, but I'll probably still end up formatting and reinstalling. The problem is even if Kasperksy shows clean, I still don't trust that nothing at all happened. Maybe it deleted itself and nothing further occurred, but I can't be sure. I too don't have much to configure...I can just throw the Win8 RP on it.

It doesn't look like Crucial has an official secure erase tool...is there any in particular you recommend, and is just a full format during Windows install definitely not as secure?

Also, are there any retroactive ways of seeing IP addresses Windows sent data to recently? Just to see if anything fishy happened last night. I'm guessing there isn't, but figured I'd ask.

 

[mechBgon]

Some routers and/or modems have a rolling log of the last-used domains/IP addresses used. It's generally a case of Too Much Information, though, since one browsing session would probably result in a boatload of domains that serve advertisements on your usual sites, and so forth.

If you wanted to monitor your system's network traffic, there's Microsoft Network Monitor 3.4, a freebie. It generates scary amounts of information If you try it, do a display filter for DNS or HTTP to cut it down to domain-name resolution requests and HTTP traffic, and it gets a bit easier to deal with. But other protocols could also be used, I've seen malware use the BITS normally used by stuff like Windows Update.

I didn't realize Crucial doesn't have a secure-erase tool, but it looks like you're right. On a traditional HDD, I'd use DBAN from http://dban.sourceforge.net. I've never tried it on an SSD yet, and given the way SSDs work, it probably doesn't work as intended on them because the SSD controller doesn't map the "outside" to the "inside" in a static fashion like a HDD does, it needs to do wear-levelling by moving stuff around. It runs from a CD anyway, so that's not an option for your system right now. The overall goal is to ensure there's no bootkit lurking underneath what you think was a clean format, and I think you can be fairly confident after the Kaspersky scans with the rootkit detection maxed out.

 

[antef]

So I did a number of scans over the past couple days. I ran Kaspersky's TDSSKiller as well as Malwarebytes quick scan. I did a full scan with Avira's rescue system but was not able to get it to connect for updates ahead of time, and I also ran Kaspersky's rescue disk, fully updated, with high heuristics for boot sectors and medium heuristics for everything else (I know that high heuristic scans can take an insane amount of time). Nothing turned up any results.

So at this point I felt okay, but I still know the file was fishy (two red flags being it deleted itself and it compressed from 38 MB to 107 KB with WinRAR), so I still wanted to take some action. I was prepared to install Win8 Release Preview, until I remembered I set up Win7 to do system image backups every Sunday to my external drive. This issue occurred on Thursday, so I simply did a restore to my image from 7/15.

I know viruses can lurk in System Restore files, but it sounds much more difficult or impossible for them to do that with a system recovery image, since it's essentially a binary blob and is on external storage. Even if a virus was left behind on untouched SSD space, that should no longer be recognized by the OS and should be marked empty and hopefully erased after a TRIM pass. Do you feel this is a safe enough option?

I also have a secondary HDD for data storage and game installs. The exe was originally on that drive and I didn't wipe it, but I did delete the file before doing the system image restore. I suppose something could be lurking among my game installs or documents but that also sounds unlikely.

Please let me know your thoughts or if you recommend any further actions. Thanks again for the assistance.

 

[mechBgon]

The restoration of the previous image sounds like a good step. Malware files that are simply sitting in storage aren't inherently harmful, I used to have about 10GB of them.

A possible shortcoming is that a classic virus can infect otherwise-clean files you already have. So if it were the case that none of these scans recognize the malware now, you could still have infected files that will not be detected until either heuristics or signatures recognize them. And that could be a while! Consider Stuxnet and Flame, which went years before being nailed, even though antivirus vendors actually HAD SAMPLES.

One of the possible culprits that sprang to mind in your case is ZeroAccess bootkit, which cleverly subverts the system's boot records. Here's some info on it: http://nakedsecurity.sophos.com/zeroaccess2/ Among other things, it can pose as a keygen or other enticing loot. And you guessed it, it self-deletes the initial executable.

This is why I was more focused on maximum-strength rootkit scans, or else a secure erase of the SSD. Take the cloaking device offline first, then see what you've got.

 

[antef]

Yeah, I was concerned about the infection of files on my data drive. I could have immediately wiped those on Thursday night and restored my backup data, but at this point further backups have occurred, so I just have to hope it's fine. Same with the game installs - I've uninstalled them now and wiped their directories just to be safe.

I read your link about ZeroAccess, I could be wrong but it looked like they were saying that it only behaves as a rootkit on 32-bit systems. Other than that it seems to be a general delivery system for further malware. TDSSKiller came back clean, hopefully this wasn't something that's currently undetectable.