So, there I was: counting the minutes until I can go home and do laundry, when I notice my workstation was sluggish. I tried to open up SysInternals ProcessExplorer, because I had it replace Task Manager, when I get an error saying that procexp.exe cannot be found. So I fire up Everything.exe (super fast filename search) and look for procexp.exe and notice it was moved to a Temp folder. Then! I get flooded with calls. "The internet doesn't work" "my computer froze" "help!" Somehow, and very VERY quickly, that malware got Domain Admin and propagated through the domain. I was unable to use my workstation, so I look over at my laptop. It was showing a BSOD saying it couldn't find gdi32.dll.
Well... frak!
I have no way to diagnose the state of the servers because I don't have workstations. As I'm walking around trying to find a working system, I keep hearing more and more users complain about stuff not working. I estimate that we got pwn3d in about 60 seconds!
I had to boot up into a LiveCD of Kali Linux (pentesting boot cd) and was able to successfully login using rdesktop to the servers (they seemed ok.)
After talking to some consultants, they pointed me toward TDSSkiller and Combofix. TDSSkiller didn't find anything related to the malware. Combofix found a few things:
- URTTemp\fusion.dll
- mscoree.dll & mscoree.dll.local
- regtlib.exe
and my favorite:
- C:\Windows\System64 (on a 32bit XP machine)
After Combofix rebooted. I got a bunch of errors that DLLs are unregistered
- OLEACC.dll
- ieframe.dll
- credvi.dll
- cwbcore.dll
On our Windows 7 stations, I rebooted into System Restore and when that finished, I ran
sfc /scannow
That got me one working PC... now only ~50 to go... *sad panda*
I still have no idea what it is, and nor do I know exactly who launched it. I presume it was a domain admin because I'm almost in awe of how quickly it friggin' took over the network, bypassing both AVG antivirus and MalwareBytes Enterprise Edition.
Once I got MalwareBytes running again, I only had one PC that says saw something, and it said it was TrojanDownloader.ED... and now that I'm at home, I google that and see that the culprit may be MalwareBytes!!!!
http:/
http:/
http:/
ugh... well, at least I know what I have to do tomorrow.
Thanks for listening to me rant Spiceworks.