Tanechka Threat

Subject: Tanechka Threat

Threat Description: This threat appears as a set of files in a folder under C:\Windows and in C:\Windows\System32. The threat installs command files, user accounts, administrator accounts and scheduled tasks. The goal of the threat is to execute the scheduled tasks which initiate a data mining operation on outside computers based on IP addresses. The CPU utilization quickly approaches 100%. The ISP notices the activity as malicious DDS efforts. The threat can be disabled and removed manually. The infection returns upon system reboot.

Infected System Details
OS Name: Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Original Install Date: 8/20/2011, 8:15:57 PM
System Manufacturer: HP
System Model: ProLiant ML150 G6
System Type: X86-based PC
Processor(s): 4 Processor(s) Installed.
[01]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~2132 Mhz
[02]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~2132 Mhz
[03]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~2132 Mhz
[04]: x86 Family 6 Model 26 Stepping 5 GenuineIntel ~2132 Mhz
BIOS Version: HP - 20110118

- There are no commands in the Start menu or registry HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion entries of Run or RunOnce.
- System is running AVG anitivirus, which does not detect threat
- System has been checked with Malwarebytes, which does not detect threat


Description of files:

C:\WIndows\backup009.cmd := executed by scheduled task
Code in file:
netsh advfirewall set allprofiles state off

C:\tanechka := contains the data mining files
Files in Folder
cygcrypto-1.0.0.dll
cyggcc_s-1.dll
cyggcrypt-11.dll
cyggnutls-26.dll
cyggpg-error-0.dll
cygiconv-2.dll
cygidn-11.dll
cygintl-8.dll
cygtasn1-3.dll
cygwin1.dll
cygz.dll
files.txt
gzip.exe
libeay32.dll
msvcr71.dll
passwd.txt
passwd1.txt
passwd2.txt
passwd3.txt
passwd4.txt
passwd5.txt
passwd6.txt
qsort.exe
QtCore4.dll
QtGui4.dll
random.exe
ranges.txt
ranges.txt.random
ranges_eu.txt
ranges_of.txt
ranges_us.txt
rdbrute.cmd
realvnc.exe
scanning.cmd
scan_ranges.txt
sleep.exe
ssleay32.dll
sysinfo.log
tasklist.tmp
users.txt
users2.txt
users3.txt
VNC_bypauth.txt
wget.exe

Notes -
Users - includes usernames the program uses to guess access to other computers
Ranges - includes IP ranges the program uses to attack
passwd - includes passwords the program uses to guess access to other computers


Active Directory Creations
user133, user134, user13# ....
admin133, admin134, admin 13#

Scheduled Tasks
At1, At2, At# ...
Scheduled for everyday at 12:00 AM
Created by NetScheduleJobAdd
Run as NT Authority System

Manual Disable
Terminite all "cmd" processes in Task Manager.
Delete tancheka folder
Delete users and admins from Active Directory
Delete At scheduled tasks
Delete *.cmd files in C:\WIndows\System32

Requested Action: Permanent removal. I am not sure where to look further to identify how this threat is re-installing itself after manual removal.

 

Four logs created. Please see attached.

 

Ok. Thanks for reviewing.