25

On a Windows 7 workstation running an up to date antivirus suite (Kaspersky) I found several suspicious processes. To look at the process activity I used the excellent ProcessMonitor from SysInternals.

One of them had an executable name wauctla.exe located in C:\Windows. Update: the name is probably chosen deliberately to be confused with wuauclt.exe - the Windows Update Agent Control utility.

This process runs as a System Service. Using the Management Console services snap-in I was able to change the startup settings for this process from "Automatic" to "Disabled". However there was no way I could stop the running process via the MMC snap-in.

I still managed to stop the process with the taskkill /f /PID command. I restarted the OS and the process is no longer seen in the process list.

There is an excellent thread on superuser on the procedures necessary to remove generic malware from computers running Windows. When the suspicious processes have been stopped and their executable files moved to a safe location away from the executable search path I want to learn more about the new malware.

What sort of threat comes from this file? Is there any antivirus software around that can detect this virus? How does it spread, should I check other computers that were accessed by the same user after this workstation was infected?

Update 2: Following the answers referring to virustotal, here is a link to the virustotal summary of this piece of malware.

Community
  • 1
Dima Chubarov
  • 1,092
  • 1
  • 15
  • 23
  • 2
    `wauctla.exe` isn't malicious. `wauctla.exe` is used by *Windows Update*. – Ramhound Mar 09 '15 at 10:40
  • 8
    That's `wuauclt.exe` I believe. – Lieven Keersmaekers Mar 09 '15 at 10:53
  • 14
    `wauctla.exe` **is** a malware, and it's detected by Avast. – Adi Mar 09 '15 at 12:15
  • If you don't know what it is, assume the worst and reinstall your machine. –  Mar 09 '15 at 13:09
  • As alluded to below, AV is for AV. For malware - which is more grey area - you may want to explore tools that remove more grey area stuff. MalwareBytes, Spybot, Super, etc – WernerCD Mar 09 '15 at 15:17
  • 1
    You're asking us what this threat does when you haven't even identified it? Does this mean that you don't know how to identify it or that it's not a known threat? – Jason Mar 09 '15 at 15:21
  • @WernerCD what exactly is the difference between virus and malware ? No matter how you call them, it's unauthorized, potentially malicious code running on a machine and that machine needs to be reinstalled especially since it's running as a service which means the attacker has administrator privileges. –  Mar 09 '15 at 16:01
  • @AndréDaniel If that was the correct solution to any problem, everyone would be using VMWare. – oldmud0 Mar 09 '15 at 16:19
  • @oldmud0 why is that ? Just don't run shady crap downloaded from myfreekeygen.com or supertrustworthypiratedsoftware.com and you're fine. –  Mar 09 '15 at 16:23
  • "Malware" is any malicious software, so by definition this includes "viruses". http://en.wikipedia.org/wiki/Malware – Ƭᴇcʜιᴇ007 Mar 09 '15 at 16:39
  • 4
    @AndréDaniel The difference is shades of grey - the world isn't black and white. Virus not a virus. If you get something from Downloads.com, click accept and get Vosteran Toolbar Awesomifier!!!... you got mal/ad/spy-ware - not a virus/trojan. It's "bonus software" and you clicked accept making it no longer "unauthorized". Should an AV uninstall/remove that? Maybe, maybe not. http://en.wikipedia.org/wiki/Malware#Grayware - thats why MB/SpyBot/etc are as prevalent as they are. – WernerCD Mar 09 '15 at 17:11
  • What exactly did Kaspersky say about the suspicious processes? Can you copy-paste the message from Kaspersky? Did it provide the name of the threat? Often anti-virus software will list a name (e.g., EvilThingy.A), which you can then research to learn more about it. What did it say about the threat? You haven't provided us much information to help you -- please provide all available information, you'll be much more likely to receive useful answers that way. – D.W. Mar 10 '15 at 00:10
  • My simple test to identify a file - open the file location and view its properties. A legitimate Windows file would have a 'Details' tab listing out the component, product and company name, and file version. – Rex Mar 11 '15 at 06:07
  • @Rex Your simple test is the least reliable test you can preform. Why? Becouse you can easily change all this information by basically any resource editor. – SilverWarior Apr 29 '15 at 07:34
  • You can, but few virus writers bother. Also you wouldn't be able to fake the installation timestamp common to all the other files, nor explain the tiny size of most malicious files compared to legitimate binaries. – Rex Apr 29 '15 at 07:39
  • @Rex I have quite some expirience in searching and cleaning malware manually so belive me there is lot of malware out there that does try to mislead the user with such information. This is especially common when malware files have the same names as original system files but are just placed in different directory. Now this is less and less used nowadays where most files are already digitally signed, becouse making sligthest change of this information invalidates the digital signature. – SilverWarior Apr 29 '15 at 07:51
  • And for all of you who are interested in trying to find out what behavior certain malware might have I usually use next approach. On my computer I have installed Microsoft Virtual Machine 2007 in order to be able to run another clean version of Windows in a virtual machine. For the simplicity of reverting to initial state I have undo disks enabled. In this virtual Windows I have installed WMWare ThinApp aplication which I then use for logging the suspiciopus software behavior. ... – SilverWarior Apr 29 '15 at 08:00
  • ... Now some of you might be thinking: "Silver but WMWare thin app is for making portable applications and not for malware analysis". Yes the3 original intention of the WMWare thin App is creating of portable applications. But in order for it to do so it needs to prescan your system before application instalation (the application that you want to make portable) and postscan your system again after the application instalation. it then compares the both scans to find the diferences which it then uses in order for creating virtual enviroment four your newly made portable application. ... – SilverWarior Apr 29 '15 at 08:05
  • ... but the best thing is that it actually alows you to view what these changes were. You need to check a bunch of files that were created in the project folder. Granted they are not presented in most user firendly manner but good enough for people with a more advanced knowledge of computers to understand. – SilverWarior Apr 29 '15 at 08:09
  • So far by using above mentioned approach I managed to lean about behavior of many mavare programs that my firends managed to infect their computers with. I even managed to detect a nasty rootkit before it could compleetely infect my computer. I have done this after noticing sudden unusual CPU usage after executing one unkown program. Luckily I went and go test this our right away becouse if I would have just made a system restart in between the rootkit would have managed to fully integrate into it. But this way I was able to remove it way before. – SilverWarior Apr 29 '15 at 08:14
  • Just one day later it was already properly recognized by ESET Antivirus – SilverWarior Apr 29 '15 at 08:15

2 Answers2

37

Dont use Process Monitor for that. Use like @DavidPostill suggested VirusTotal but without manually sending files. Process Explorer from SysInternals has built in VirusTotal functionality. Just go to Options -> VirusTotal.com -> Check VirusTotal.com and a column with the header VirusTotal will appear. After a few seconds you will get the VirusTotal rating for each executable.

enter image description here

From Process Explorer you can directly kill the malicious process or find out to which Windows Service started this process and stop and disable this service. This is a good way to do, beacuse if you kill the process the underlying service might immediately recreate the malicious process. To find out the service for a process double-click the process and go to the Services tab.

Robert Niestroj
  • 683
  • 5
  • 11
  • 3
    @AndréDaniel Process Explorer only [sends hashes](http://blogs.technet.com/b/sysinternals/archive/2014/01/29/updates-process-explorer-v16-0-psping-v2-01.aspx) of processes that it scans automatically. To send an entire file for analysis you must do that by manually initiating a scan via the *Process* or *DLL* details window (see the Terms of Service dialog box as shown [here](https://blog.malwarebytes.org/intelligence/2014/01/process-explorer-now-including-virustotal-support/)). – I say Reinstate Monica Mar 09 '15 at 17:21
  • @Twisty okay nevermind, didn't know that. –  Mar 09 '15 at 17:27
  • 1
    Well, your point in the aspects on which it is correct remains valid seeing as it is possible to submit an entire file, just not automatically. – I say Reinstate Monica Mar 10 '15 at 03:19
30

How do I to evaluate the threat caused by malware?

You can submit your file to VirusTotal for online analysis.

  • VirusTotal checks the file using over 40 antivirus solutions.
  • This will at least tell you if any antivirus software is able to detect it.
  • If you get a positive identification you can then search for the name of the virus to find out more about how it works and what threat it poses.

What is VirusTotal

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.

Source VirusTotal

DavidPostill
  • 153,128
  • 77
  • 353
  • 394