Tuesday, March 19, 2019

windows 7 - Found new malware not detected by antivirus. How to evaluate the threat?


On a Windows 7 workstation running an up to date antivirus suite (Kaspersky) I found several suspicious processes. To look at the process activity I used the excellent ProcessMonitor from SysInternals.


One of them had an executable name wauctla.exe located in C:\Windows. Update: the name is probably chosen deliberately to be confused with wuauclt.exe - the Windows Update Agent Control utility.


This process runs as a System Service. Using the Management Console services snap-in I was able to change the startup settings for this process from "Automatic" to "Disabled". However there was no way I could stop the running process via the MMC snap-in.


I still managed to stop the process with the taskkill /f /PID command. I restarted the OS and the process is no longer seen in the process list.


There is an excellent thread on superuser on the procedures necessary to remove generic malware from computers running Windows. When the suspicious processes have been stopped and their executable files moved to a safe location away from the executable search path I want to learn more about the new malware.


What sort of threat comes from this file? Is there any antivirus software around that can detect this virus? How does it spread, should I check other computers that were accessed by the same user after this workstation was infected?


Update 2: Following the answers referring to virustotal, here is a link to the virustotal summary of this piece of malware.


Answer



Dont use Process Monitor for that. Use like @DavidPostill suggested VirusTotal but without manually sending files. Process Explorer from SysInternals has built in VirusTotal functionality. Just go to Options -> VirusTotal.com -> Check VirusTotal.com and a column with the header VirusTotal will appear. After a few seconds you will get the VirusTotal rating for each executable.


enter image description here


From Process Explorer you can directly kill the malicious process or find out to which Windows Service started this process and stop and disable this service. This is a good way to do, beacuse if you kill the process the underlying service might immediately recreate the malicious process. To find out the service for a process double-click the process and go to the Services tab.


No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...