| Info | Message |
|---|---|
| 1) Message boards : News : Windows malware reported
Message 114197 Posted 27 Jun 2024 by nothanks |
I'm not sure where to post this, but we had one instance of this in our office today. Note that I am NOT a malware specialist and anything I say needs to be taken with a grain of salt. The malware appears to create multiple Task Scheduler entries that are set to run the files from the user's roaming folder on start and every 15 minutes from then on. It appears to also use powershell in the process, but I didn't let it run long enough to see how it all works. I didn't find any services directly associated with it, but I'm still digging in to see if I find any. Here is what we have done so far, and it hasn't come back in the last couple hours... but I plan to keep watching. If you come across an infected computer, immediately go to "Task Scheduler" and remove any entries that have an action which runs code from the "roaming" folder. It disguises the entries to look like Mozilla updates, Google updates, windows security updates, and some of the entries were just an underscore and numbers. Bottom line is if it runs code in the AppData/Roaming space then you probably shouldn't have that task scheduled. After getting all of these deleted you will also need to delete all the malicious files stored in the roaming folder and subfolders. You may have to kill processes using "Task Manager" to be able to delete all the files. For now this seems to have stopped the infection, but we will have to watch and see. |
Copyright © 2025 University of California.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software Foundation.