Gaming I got a virus ?

Kanakops

Well-Known Member
Member
Joined
Aug 14, 2016
Messages
498
Trophies
0
XP
739
Country
Antarctica
Hi, i'm not posting a lot and I don't know if I post this in the good place but I have try to execute a virus in a vm but the virus escape in my real vm

The basic one have been blocked and put in quarantine but the other one was not blocked by windows for some reason and now I stress a lot.

I didn't have the symptom of cisum.exe (https://www.helpnetsecurity.com/200...-it-has-been-infected-by-the-new-cisuma-worm/

https://www.sophos.com/en-us/threat...nd-spyware/W32~Cisum-A/detailed-analysis.aspx)

But I don't know what mikatz.gen!f is supposed to do

The virus I have try to execute was "cisum.a or cisum.exe" I don't know ( it said state : failure , this program can't be fully fixed )

1594337212-unknown-42.png


Now i'm on hiren's and I do a malwarebyte scan, so far it's detecting nothing but i'm really stressed, if someone can help me it would be great.
 

Joom

 ❤❤❤
Member
Joined
Jan 8, 2016
Messages
5,992
Trophies
1
XP
5,775
Country
United States
Why would you test malware in a VM if you don't know what you're doing? Most malware has the ability to detect if it's in a VM or not, thus requiring extra steps to prevent this. If you plan to test and analyze malware, it should be on an air gapped system with Deep Freeze installed.

To answer your question, the detection here is a heuristic signature (hence the "gen", or "generic"). Disconnect from the internet and run a full scan. Malware likes to hide in %appdata% so it can execute without invoking a UAC prompt, so check there first for anything suspicious.
 

TheCasualties

Just trying to be helpful
Member
Joined
May 11, 2020
Messages
440
Trophies
0
Location
The Bardo Islands
XP
473
Country
Netherlands
This guide should help you. Take your time and you'll eventually get rid of it.
https://www.reddit.com/r/techsuppor...ested_reading_official_malware_removal_guide/

Revo Uninstaller is a great tool for removing stubborn things too. Might help. Good luck!

Worst case scenario: format your drives and reinstall windows.

Edit: just realized how old that reddit post is.. Hopefully it's still useful. It helped me a while ago. Also noticed this is a pretty old thread, did you already get this cleared up, OP?
 
Last edited by TheCasualties,
  • Like
Reactions: Kanakops

Kanakops

Well-Known Member
Member
Joined
Aug 14, 2016
Messages
498
Trophies
0
XP
739
Country
Antarctica
Hey thanks for all the answers, i'm the type of person who connect one time per several months so sorry if I didn't reply anyone here

I was curious to test virus on the vm because in my school we was used to try it on vm and remove them/fixing the problem they caused. But teachers was giving the same thing over and over, a virus who change your password and corrupt the explorer, after those I was too confident and was thinking nothing will happen outside my vm so I have download an archive from virus, I have execute a couple of them and nothing was happening at all even on the task manager, and one of them finally worked
unknown.png
.

The thing is that I have forgot to remove the shared folder, so the virus have create a version of himself on every drive on the vm (and the shared folder was considered like one of them)

Now I think the virus just got detected and blocked before anything happen but I was just not able to be quiet because I didn't really know what THIS virus was doing/how it's supposed to act.


At the end I have make a backup from a couple of stuff (and I forgot my schools works rip) and I have installed Manjaro. But I'm really not confortable with linux even if I have used ubuntu and lubuntu before, this is just not for me, also I like to play some online game sometimes, so I have format everything except the few thing I have backup and have reinstall windows. I have do several malware analysis with malware byte premium (trial) and windows defender and nothing got detected, so now I think it's over with this story
 
Last edited by Kanakops,

Joom

 ❤❤❤
Member
Joined
Jan 8, 2016
Messages
5,992
Trophies
1
XP
5,775
Country
United States
nothing was happening at all even on the task manager
A lot of malware uses a technique called running process injection. They often times will inject themselves into the memory of common Windows components (svchost, taskhost, etc.), or if they're primitive/unsophisticated, they'll just mimic a process name of something that is usually benign. This is to avoid easy detection through the Task Manager. This also helps in evading anti-virus detection. So, just because you don't see a process for the binary you executed doesn't mean that it's not running. And, like I mentioned, most malware has VM detection, so if it detects that it's being ran in a VM, it won't execute at all (anti-debugging measure), or it'll use something to break out of the VM and infect the host instead.
 
  • Like
Reactions: Kanakops

Kanakops

Well-Known Member
Member
Joined
Aug 14, 2016
Messages
498
Trophies
0
XP
739
Country
Antarctica
I think you just had a bad dream...
I wish even today it was just a bad dream

A lot of malware uses a technique called running process injection. They often times will inject themselves into the memory of common Windows components (svchost, taskhost, etc.), or if they're primitive/unsophisticated, they'll just mimic a process name of something that is usually benign. This is to avoid easy detection through the Task Manager. This also helps in evading anti-virus detection. So, just because you don't see a process for the binary you executed doesn't mean that it's not running. And, like I mentioned, most malware has VM detection, so if it detects that it's being ran in a VM, it won't execute at all (anti-debugging measure), or it'll use something to break out of the VM and infect the host instead.

Ohh ok so that explain what happen, Like I said I have execute a lot of them and "nothing" was happening and two virus got detected
unknown-37.png
(I didn't show this one because it was blocked without any problem)

and this
1594337212-unknown-42.png


I didn't know anything about mikatz.gen!f (and I don't know anything about it now either, I didn't find this exact version on internet)

so my theory is mikatz.gen!F understood the fact he was inside my vm and escape, why it was not blocked properly ? I don't know. Anyway this story is still stressful for me, I have wipe windows, put manjaro linux, remove it and reput windows but in the process I still keept somes files on the backup (nothing related to windows but movies/games..) and even if I have do some scans with malwarebyte and windows defender i'm still thinking there is a chance it's still on my computer in some way (for exemple if the virus have infect/corrupt other files on my backup)
 
Last edited by Kanakops,

Joom

 ❤❤❤
Member
Joined
Jan 8, 2016
Messages
5,992
Trophies
1
XP
5,775
Country
United States
It's rather uncommon for malware to "worm" your personal files, especially videos and music. It tends to lead to data corruption, thus making the infection fruitless. This isn't the 90s where malware operators act like malicious pranksters. Malware is all about making money off of harvested data these days, so preserving that data and staying as low key as possible is the goal. It's more common to download an infected video or song file that was specially crafted to have a payload in the header data of the container. This said, worming is still a practice, but it's more network focused. Operators will infect network shares on a corporate network, for example, thus spreading the malware to every networked computer with access to those shares.
 
  • Like
Reactions: Kanakops

Kanakops

Well-Known Member
Member
Joined
Aug 14, 2016
Messages
498
Trophies
0
XP
739
Country
Antarctica
You could just reinstall windows. Would probably fix your problems

I already did it, I was on windows, I was thinking "hey, I would just profit of this situation and go on linux" but I didn't like it and because I play a lot of games/use somes type of software I didn't want to hit my head on the table for searching a way to make everything compatible so I came back on a fresh installation of windows, I probably don't have any virus and i'm just paranoid for nothing right now
 

godreborn

Well-Known Member
Member
Joined
Oct 10, 2009
Messages
20,498
Trophies
1
XP
12,640
Country
United States
I once got a virus that would crash the computer if I tried to remove it. what I did to fix it was reflash an old disk image. you can try to reinstall windows fresh as I think the serial number is part of the mobo or injected into it anyway from the factory. that's what dell told me anyway as it won't ask for it if you download the reinstaller from say dell or the manufacturer of your computer to get windows back from being messed up. it will erase everything though, which is why I always suggest making a disk image every few months. don't put it on auto in case something goes wrong and you have an infected disk image as well.
 
  • Like
Reactions: Kanakops

linuxares

I'm not a generous god!
Global Moderator
Joined
Aug 5, 2007
Messages
9,026
Trophies
1
XP
10,346
Country
Sweden
If you wanna test viruses, I would recommend you put it on it's own LAN that doesn't have any access to the internet or anything. That way if it's a worm it won't run amoc.

Also try using Hitman Pro
 
  • Like
Reactions: Kanakops

godreborn

Well-Known Member
Member
Joined
Oct 10, 2009
Messages
20,498
Trophies
1
XP
12,640
Country
United States
I also did this in case I have to start over. I have everything mirrored in directories named after them and each install exe (some might be old but you can usually update from within the app):

[
upload_2020-8-12_21-25-10.png
upload_2020-8-12_21-25-29.png
upload_2020-8-12_21-25-53.png
it takes about an hour and a half to get everything back from nothing this way.
 
Last edited by godreborn,
  • Like
Reactions: Kanakops

Joom

 ❤❤❤
Member
Joined
Jan 8, 2016
Messages
5,992
Trophies
1
XP
5,775
Country
United States
Im honestly hoping the linux community stays small because I enjoy not having to worry about viruses
Hate to burst your bubble, but there are exploits that come out for Linux software all the time. There's plenty of viruses. The userbase of Linux is actually quite large, too, thanks to Android (which is riddled with malware). Not to mention most of the Internet is ran by Linux, so there's that. That kinda makes it a common target.
 

linuxares

I'm not a generous god!
Global Moderator
Joined
Aug 5, 2007
Messages
9,026
Trophies
1
XP
10,346
Country
Sweden
Hate to burst your bubble, but there are exploits that come out for Linux software all the time. There's plenty of viruses. The userbase of Linux is actually quite large, too, thanks to Android (which is riddled with malware). Not to mention most of the Internet is ran by Linux, so there's that. That kinda makes it a common target.
Correct but a lot of the viruses either get patched quickly or they even never reach outside of the home folder.
 

Zyvyn

Well-Known Member
Member
Joined
Aug 9, 2017
Messages
2,060
Trophies
0
XP
2,347
Country
United States
Hate to burst your bubble, but there are exploits that come out for Linux software all the time. There's plenty of viruses. The userbase of Linux is actually quite large, too, thanks to Android (which is riddled with malware). Not to mention most of the Internet is ran by Linux, so there's that. That kinda makes it a common target.
I more meant in the desktop scene most the stuff by google is basically already malware
 
General chit-chat
Help Users
    The Real Jdbye @ The Real Jdbye: ken is gay