Author Topic: New Virus or ?? (Read 13102 times)

questorfla · « **on:** May 05, 2015, 05:46 PM »

I thought I would post this to see if anyone has run across anything similar. One of the people here started getting odd emails a few days ago that were of a type she would never expect. The wording was pretty "graphic" and appeared to be requesting a reply. All of our systems have up to date AVAST as well as Malwarebytes. These emails had no attachments and my advice was to "delete with SHIFT+" for a Permanent removal.

This began 2 or 3 days ago. Today, her system restarted itself and came up with a new "Theme" called Creepy Cobwebs with a Spider in the middle of the page, Odd to say the least and not what she had by any means. Worst of all though was that as soon as that happened a "Progression Bar" appeared on the screen saying the % of files deleted and it was steadily moving across the screen. By the time she got it to me (only a few minutes) the bar was moving at a very fast pace and all of her desktop icons had already been deleted. I immediately pressed the power and rebooted.

The bar came back up pretty quick and continued to delete files (or so it said). Whatever it is, it apparently did delete quite a lot. It also deleted "Some" but not ALL of her software. I am not sure why some were spared and others were not. AVAST still scans but says the system is clean.

Malwarebytes is complete Gone from the system now. No folder or any trace it has ever been there.

I have seen many Viruses in my day, some worse than others. But this was pretty absolute in its destruction as everything is gone. Not encrypted and locked up but completely gone. The system is almost down to "Bare Bones Start". Several other programs which were installed and in use are also completely gone with no trace. This happened with no warning and the display of the progress bar as files and folders are being deleted certainly enhanced the Fear Factor.

If this sounds even a little familiar it would be nice to know where to start looking before it hits someone else here. There are a few others who have gotten similar emails but who have not yet been affected to this extent.

I figured someone here may have seen or heard of something like it. I was only able to find references to a virus called "Goner" and "Goner-A" but some of this was years old. Some was from news articles published today. At this point, I do not even have a clue if this is the same or similar.

x16wda · « **Reply #1 on:** May 05, 2015, 07:38 PM »

Well, Creepy Cobwebs is a Halloween theme for Win 7 and up. Sounds like the theme picture in the middle of the list.

Do you know for sure if the files are deleted as opposed to hidden?

SeraphimLabs · « **Reply #2 on:** May 05, 2015, 08:57 PM »

Quarantine the offending system- disconnect it from any and all networks. Do not put any writeable media in it, any incoming tools must be brought in using finalized CDRs so that whatever it is cannot spread.

Is there anything worth noting in the Windows event logs?

Does it still run the malware when started in safe mode?

Also have you tried booting from a Linux LiveCD and looking at the filesystem to verify it the data is actually gone. At this point I would be hesitant to copy data off of the machine until you know what you are dealing with, but important info can at least be retyped into another system.

It does sound like some type of virus, quite possibly a ransomware that then retaliates like this if not paid off.

questorfla · « **Reply #3 on:** May 05, 2015, 09:06 PM »

SSince it is not my system, i cannot say. I CAN say that I saw it happening as I watched. The progress bar was displaying percentage of files deleted and it was moving pretty fast before I Force-shut down the laptop. Waited a while and restarted. That was when she told me that was NOT her normal desktop. There is no new user created. I gave it back to her and told her to let me know when she found out if anything was really gone. Before she could turn away, the "Deleting Files" bare came back up and quickly reached 100% before we could do much.
Her desktop has nothing now but the System Icons on it. However a LOT of her files are still in various folders. Some programs are completely gone with no trace. One of these was Office 2013/365. Not a trace left. But not the only one and the others are not MS related.
She was about to leave for Home (5pm) I got left with the mess. So far, not a trace of any virus, Malware or anything else I can find using multiple scanners.

Just a Mystery.

Oh, and the Creepy Cobwebs desktop. It ALSO deleted itself. I was able to catch one last glimpse in a screen capture before all traces were gone. The words in the capture say "Unable to find "creepy co " that was it. The rest of the name “Creepy Cobwebs” was gone along with the error and it ended reading just like that: wo letters " Creepy co " the rest of the name wasn’t even there.

No mention of it in the registry or anywhere else.

The only reason I knew the name was because i looked for it while it was there and it showed as a "Theme" which has since complete removed itself. Because of all that I am a little but leery of even reloading the drive and it is one of the new laptops with the drives sealed in anyway so my only option is "System Restore". Like it or not/

Shades · « **Reply #4 on:** May 06, 2015, 10:00 AM »

Are you certain the virus/malware/whatever didn't affect the restore point you want to revert to?

A botched install from a piece of software, an update that proves to be incompatible with your system...that are reasons to use system restore. Infection is not. At least in my book.

Creepy cobweb is the name showing in the screen. Are you sure that the application responsible for the mayhem uses the same name? A simple tool, such as Process Explorer gives much more insight into that which helps with a more fruitful combing through the registry. A lot of malware disables software such as Process Explorer from running after the malware infects a system. Because it is of such a help to the admin/end-user in charge of fixing the system.

What SeraphimLabs said is very solid advice. Use tools like JRT, ADWCleaner etc. to check for malware that MalwareBytes Anti-malware might have missed. Check if the system has a rootkit.If it has one of those, then system restore won't be of any help at all. Then you better start making backup of her data, thoroughly check if those files aren't infected, thoroughly wipe her hard disk and start re-installing (preferably from non-writable media, such as a DVD).

questorfla · « **Reply #5 on:** May 06, 2015, 02:24 PM »

Shades: I am as sure as I can be of anything. There are some new indications of odd behavior though.
This is 100% for certain NOT anything they deliberately installed. The system is one they have had in use for several months but not even a year yet. It is an ACER laptop. It had Windows 8.1 Office 365 etc. No other odd items of any note.
The background she had was one she picked from somewhere long ago. It is pictures of a Buddha statue in a jungle surrounding (this is as best as I can remember).
Last night it stayed connected to my network as i worked to find the problem (though i did take all my own systems off the network

)

I found nothing odd. Except for the fact that most of her software was gone. Office 365 was gone completely. Adobe Reader was gone. Several software programs she uses at work were gone.
AVAST was NOT gone but Malwarebytes WAS gone.

(Note: By GONE I mean that there was no trace of it ever being there as far as I could find. Not in recycle bin not anywhere not even as a Hidden system, file I know how to "see" everything and they were not there. )

Today, my intent was to ask her if any of the documents files (which there were still some even though they looked odd since they had no icon associated with them and normally people cannot sec .doc or .docx or .pdf.)
the only Icon was on PDF's due to Windows now having a native PDF reader of its own.

I came in today preparing to ask her to tel me which of the files she wanted me to move off the drive so i could begin a complete format. As she was looking through the files, Her OLD DESKTOP BACKGROUND of the Buddha came up! I do not know from where it came. I had scanned the computer already looking for it but I was not sure of the name. Nonetheless. It was there.
This was a minor victory to her but to me, It was just another reason to worry.
Withing 5 minutes or less. The DELETING bar popped up and deleted what few files were left. I had interrupted this yesterday when I Powered down the system.
Now the rest of the files are gone.

My biggest concern at this point is that the only difference between last night and right now is the network it was connected to.
I had scanned it with Sophos, Norton, and every other scanner i could find and come up with nothing except 1 listed a " Mal-ware.gen."

If the action of DELETE began after she got to work. But NOT while NOT at work, i am very concerned that whatever this is, it is a Mal-ware that exists somewhere on the office network. The fact it had chosen to affect one person ... At this time... does not mean it wont be another one later. I am currently running deep level scans on every system here but they are all interconnected on the office network in some way. All have current up to date AV's and other forms of protection even the servers. (Especially the servers!)

But for her OLD desktop background image to appear for the 3 or 4 minutes it took to delete every other DATA file in her system was extremely odd. I managed to get some photos of it happening with my cellphone but... That is about it.

I am about to do a forensic exam of the hard-drive removed from the system but do not expect to find any more than i found last night.

TaoPhoenix · « **Reply #6 on:** May 06, 2015, 05:44 PM »

Good luck questorfla!
This is the weirdest virus case I have ever heard of!!

MilesAhead · « **Reply #7 on:** May 06, 2015, 06:21 PM »

Good luck questorfla!
This is the weirdest virus case I have ever heard of!!

-TaoPhoenix (May 06, 2015, 05:44 PM)

I'm no malware expert. But from the description it sounds like it lives in the network code. Maybe even infecting drivers. If so it would have trusted access and ring 0 processor privileges. Meaning it could do anything.

But that is just my hunch.

Stoic Joker · « **Reply #8 on:** May 07, 2015, 07:39 AM »

One of the people here started getting odd emails a few days ago that were of a type she would never expect. The wording was pretty "graphic" and appeared to be requesting a reply. All of our systems have up to date AVAST as well as Malwarebytes.
-questorfla (May 05, 2015, 05:46 PM)

I gotta say this part keeps troubling me ... In what way was it how graphic?? Because if someone is "wasting" an apparently previously unknown - and therefore undetectable - exploit ... It's not inconceivable this could be a (very) targeted attack.

If at all possible, it may behoove you to recover those original Emails for analysis, by law enforcement personnel if the "Graphic" nature was in any way...credibly...threatening..

questorfla · « **Reply #9 on:** May 07, 2015, 04:11 PM »

OK, Here is all I have to add. Maybe someone has heard of this or can give me a hint as to how to even look for it.
The current most likely name is "ROMBERTIK" It is an extremely malicious family of Malware that seems to be mostly in Europe

questorfla · « **Reply #10 on:** May 07, 2015, 04:21 PM »

Stoic: No, just the one work of F&CK. but that is, to most of the girls here, a little over the top but not so much as to be Outrageous. They all know what it means. It is just unusual to get emails like that other than as SPAM which is what we considered it. Lately, though, since our switch to Office 365, the amount of spam has gotten so low I had forgotten it existed.
The description that you will find when searching for ROMBERTIC fits it to a "T". 100%. This is something so NEW though that even the Googled articles on it I can find few that are more than 4 days old. While i cannot "see" or locate the Virus/Malware itself. I do know where to find it. It is in an email she got. Not sure which one but it is there for 100% certain.
We loaded a new system, new everything, new AV and new Malwarebytes New Office 365 etc. No problems and all was well .
Until she checked her email.
We had her go back to last Friday (the first evidence of anything) and just open and read her email from Friday till now. No replies. No opening attachments, Outlook was set to BLOCK HTML. Every safety margin was at 100%.
Within 30 minutes or less of her starting her email, the first thing she say was Malwarebytes begin to UN-install itself. Like a normal uninstall showing the screens of the program being removed etc.
Next was AVAST. Same ritual. Finally Office went through its own removal. This laptop had nothing else on it. It worked perfect until she loaded her email from Outlook Exchange Server.

MilesAhead · « **Reply #11 on:** May 08, 2015, 05:52 AM »

OK, Here is all I have to add. Maybe someone has heard of this or can give me a hint as to how to even look for it.
The current most likely name is "ROMBERTIK" It is an extremely malicious family of Malware that seems to be mostly in Europe
-questorfla (May 07, 2015, 04:11 PM)

I got pleny of hits using this

http://addon.100searchengines.com/

Just reading the subject lines it sounds like it. The malware erases itself taking everything else with it.
Probably the only action you can take is get the HD out of the machine and work on it from a secure environment if any data has to be recovered. Preferably as soon as it is identified. I think I would just kill the power to minimize the run time of the thing.

But there may be better advice in some of the articles.

TaoPhoenix · « **Reply #12 on:** May 09, 2015, 08:18 AM »

Rombertik made Slashdot -
http://it.slashdot.o...-virus-kills-off-pcs

Maybe there's some insight there.

Their links (of many)

http://www.bbc.com/n.../technology-32591265
http://blogs.cisco.c...rity/talos/rombertik

app103 · « **Reply #13 on:** May 10, 2015, 07:55 AM »

Rombertik made Slashdot -
http://it.slashdot.o...-virus-kills-off-pcs

Maybe there's some insight there.

Their links (of many)

http://www.bbc.com/n.../technology-32591265
http://blogs.cisco.c...rity/talos/rombertik

-TaoPhoenix (May 09, 2015, 08:18 AM)

I read those and there is no mention of it changing the desktop theme, displaying progressbars with deleting progress, launching the official uninstallers of various programs installed, etc. as questorfla described.

And questorfla never mentioned anything about the laptop going into a rebooting loop, which is a symptom of Rombertik. And there was no mention of opening an email attachment (screensaver .scr masquerading as a PDF), which is how Rombertik gets executed and installed on a user's system.

So, I am not sure why any of you suspect this Rombertik is what is infecting the machine. Please enlighten me if there was something I missed.

TaoPhoenix · « **Reply #14 on:** May 10, 2015, 10:00 AM »

I have no idea what it is. That just was the biggest virus news to hit this week.

cyberdiva · « **Reply #15 on:** May 10, 2015, 11:18 AM »

The Malwarebytes blog focused on Rombertik a few days ago: https://blog.malwarebytes.org/security-threat/2015/05/whats-important-about-rombertik/. Interestingly, the blog claims "Malwarebytes Anti-Malware detects Rombertik as Trojan.Ransom.ED." It might be useful to post something about the user's experience described here (i.e., in the DC thread) on the Malwarebytes forum and try to get them involved. The company tends to take very seriously any report of MBAM's failure to detect/deal with malware.

Curt · « **Reply #16 on:** May 10, 2015, 04:34 PM »

So, I am not sure why any of you suspect this Rombertik is what is infecting the machine.
-app103 (May 10, 2015, 07:55 AM)

I think April is right. The infection described by questorfla, cannot be Rombertik.

Target · « **Reply #17 on:** May 10, 2015, 06:48 PM »

I'm surely no expert but this sounds more like a very old virus (if that's what it is)

to me the operation sounds very clumsy, more like something a script kiddy might produce

Virus writers have become far more sophisticated in what they're delivering and uninstalling/deleting a random somebodies files like this seems like a poor return on their effort

questorfla · « **Reply #18 on:** May 14, 2015, 08:42 AM »

Lots of good posts. I plan to look at each as we are still in the dark other than e know it was something and that whatever it was, it was as close to having some kind of AI running the show as i have ever seen.
Depending on too many variables it seemed to do different things. It also seemed to be tied in with multiple other "bad guys" such that oven when whatever the main threat was gone, there were many little things left laying around. If it was not Rombertik, it had all the earmarks. The weird background was probably part of the "trash" that is loaded into Rombertik in an attempt to obscure the Malware.
I can tied a few odd events that occurred to each of the people affected but there were people who also had those same odd events who did NOT get the "Full Monty" treatment.
For the time being, it is now using up more of my time trying to be sure it is GONE and not just HIDING. Once goingthrough an experiencelike this it leaves you feeling almost like there is no point in trying if there is no way to win

I know the AV software companies probably have this one under control by now. At least we have not had any further issues so I hope so.
I even understand their reasoning behind each one giving the same virus a different name. But that same reasoning makes it nearly impossible to know if a threat removed by the AV program now is the same threat I was dealing with a few days ago. It is hard when they ask for a "sample" yet I don't even have a Vector at this point, much less a way to contain a sample.
By the time i THOUGHT i knew what to look for, it appeared to have morphed into so many varied forms and types of damage it honestly was easier to just reformat.
And:
Even then, I can't be sure. Reformat to Factory?... maybe. As long as it hasn't infect that sector too.
With Windows 8.1 having no external media that i can be 100% sure about, and with the license codes embedded in bios, there is only so far you go. When all seems well a week later it could be just because the AV companies had finally gathered enough evidence to add a specific marker to their signature files so they catch it before the damage is done.
Thanks for all the comment and if the discussion itself got even one person to be more aware of their vulnerabilities it was worth it. Those who got hit lost every file they had.... One way or the other. If the virus did not get it, i had no choice but to scrub anyway because i could not risk that it might be hiding there. Anyone displaying almost any of the symptoms was a suspected carrier.
If nothing else, i learned a lesson in humility. It is easy to play Monday Morning Quarterback but when you are in the game while the ball is in play, things look a lot different.
And i hope the employees learned to make backups. NONE of them, not a single one, has made any attempt to keep anything now for years. Worst of all, they use their desktops like a filing cabinet and no amount of pushing on my part has made even a dent in that practice.
It doesn't help that Windows has made it nearly impossible to "restore to 3 days ago" instead opting for a more useful (but far more complex) method of "version per file" which requires an additional drive and by default is set to OFF.
Because NO ONE here has made the final jump in user interface, all of them preferring to keep their old Windows 7 layout through various utilities, it left most with not even a chance of recovery if affected.

Stoic Joker · « **Reply #19 on:** May 14, 2015, 11:24 AM »

It might not hurt to point out to the brass that the Blast-Effective-Zone could have been a lot smaller if they would have let you put in a proper domain back when you originally asked for it.

Because I'm guessing - from the descriptions you've given in other threads - that most folk are romping around with Admin rights. And the only truly proven method of ducking the 0-day stuff is by using reduced (e.g. user level) permissions ... Everything else has time and time again proven itself to be nothing more than a feeble attempt to water seal a screen door.

P.S. Feel free to quote me on that..

questorfla · « **Reply #20 on:** May 19, 2015, 04:08 PM »

Sorry I have been in and out . Things are getting better here but in answer to a ferw questions> Yes, the systems did reboot. Quite obviously, if for no other reason than people rebooting them but many hit a point where they rebooted as files to stay running were deleted. Sorry for not mention that specifically.
As for the Desktop background, there is plenty of mention of that in the "padding" used to "hide" the actual virus. They said that there are a lot of real files such as deskrtop backgrounds etc that are mixed in with the virus in order to increase the size of the file so that it can escape any searches for those "small files that look suspicious".
While I have no "proof" it was Rombertik, (and to be honest really don;t care or ever want to see anything like it again) I can say that whatever it was, it left an indelible mark, probably for the best.
And Yes, Stoic, you are correct. But that won't change and that is the way it is.
This is not a domain, it is a work-group and just about anybody can do as they Darned well please which bugs me no end but...They will learn when the day comes that some file clerk wipes out the whole business from a YouTube Download.
Until then, my job is to try to hold things together as best as I can.
Thanks for everyone chiming in. All knowledge is worth something. We still have no idea of the original vector forit other than SOME of the people who got hit got a couple of odd emails.
But some people who did NOT get hit also got some very similar.
None of the emails contained any attachments and all were stamped as being scanned by the MS Exchange Servers and found clean. (even though the language used in them was anything but)
I was reading my own posts and wanted to clarify this. In the early stages we did suspect email to be a source but now I think the email was more of a symptoms than a cause. It worked much like a hijacker virus would and the effects were so "directed" that you could almost feel someone else in the machine watching each User freak out! I can imagine then that this would not be so impossible and someone Could have actually been looking on through the webcam.

Stoic Joker · « **Reply #21 on:** May 19, 2015, 05:02 PM »

Thanks for the update. I've been thinking that mouser needs to come up with a new award just for you because of the unique level of OMFG What??!? class issues you consistently encounter. It is always truly intriguing to join in your issue threads.

questorfla · « **Reply #22 on:** May 19, 2015, 05:56 PM »

LMAO! Thanks Stoic. On most of this I just happen to think in odd ways. I can't take credit for this new disaster but some of the other stuff is just me thinking WHY are "people" still having to do things like this.
Part of the answer is 100% your are corrct. How many busineses these days have a antique "workstation" environment. Makes me want to cry. ... Or laugh>? Life is what it is.. either roll with it or get rolled over by it. I try to think outside the "box" and sometimes... I wonder about my own sanity. They say that means you are OK. As long as you have doubts about yourself, you are fine. Though that sounds a little odd on the face if it.
I was thinking about asking Mouser if there was ever any more thought given to making the contents of the entire Forum available for search and download. I have seen so many things here that I see nowhere else. I would archive the whole thing if I could.
Who needs Google? Just search this forum and "All Questions Shall Be Answered; All Secrets revealed!"