Appendix A. Use case

Here we will study how we used Dr.Web FixIt! to find and cure the Trojan.AutoIt.289link_to_vxcube malware on a user’s computer.

Stated Problem

A user was concerned that for an unknown reason, they could not open the website of an anti-virus product to activate a trial version.

We used Dr.Web FixIt! to look into the issue.

Solution

As usual, we started by going through our standard preparation steps:

created a task

generated the analyzing tool

sent the tool to the user

uploaded the report on the state of the system

We will not describe those steps in detail here, because they are simple and always the same. You can read more about them in the Task section.

Working with Report

The main event started when we received the report with the system analysis.

We went to the Search and analyze tab of the report to start by filtering out malicious and suspicious files.

We selected the following General filters:

Downloaded files

Scripting language interpreters

New executables

Unsigned untrusted executables

Rootkits

Unsigned executables

Files with unusual arkstatus

Suspicious software

Hacktools software

Files with unusual certificates

and the following Detects filters:

Cloud URL detects

Non-signature detects

Signature detects

Reputation-based detects

guide_filters_realtekHD

Figure 22. Selected filters

This is a standard set of filters that can help you find the majority of threats.

General filters are heuristic. We use them to look for unsigned, hidden, and generally suspicious files. If a file is detected by one of those filters, it does not automatically mean that the file is malicious, but if we add information from other filters, then we are able to draw conclusions.

Filters in the Detects section, as the name suggests, help us look for detectable malicious files. It greatly helps narrow the search from the start, so we started the analysis from there.

After a bit of looking around, we found a likely suspect amongst the Reputation-based detects. This filter displays verdicts from Doctor Web’s Metawave reputation database, that is, files that were at some point detected as infected, suspicious, coming from a suspicious vendor, or clean.

guide_metawave_trojan

Figure 23. Reputation-based detects

It showed us several files labeled as infected, including the widely known xmrig-cuda.dll malicious library, but our biggest find was the file C:\ProgramData\RealtekHD\taskhostw.exe, the signature move of Trojan.AutoIt.289. As soon as we saw it, we knew that the user’s computer was infected by this trojan.

Considering that Trojan.AutoIt.289 tends to come up often in our work, FixIt! has a specialized filter for it. We selected it to find all affected files and processes.

The Trojan.AutoIt.289 Filter

The Trojan.AutoIt.289 filter displays files, processes, and startup elements affected by this trojan.

We selected this filter on the Defined filters tab and expanded the table to view results.

filter_realtekHD

Figure 24. The Trojan.AutoIt.289 filter

All we had to do next was to select an action for each element.

Curing

Actions vary for different element types. To group elements together, we selected the checkbox above the entire column. Note that only elements with available actions were selected (for instance, loaded modules have no action and they were not selected).

Then, we selected element types in the drop-down menu above the table and the respective action for each element, one by one.

For instance, for the Processes element type, we selected Kill, and it was applied to each element of this type.

guide_select_actions

Figure 25. Selecting actions

Then we did the same for other element types, selecting for them Cure, Delete, and Disinfect, respectively.

Selected actions went on the Selected Actions tab for us to review.

guide_selected_actions

Figure 26. Selected actions

When we made sure that all required actions were properly saved, we clicked Create to generate a curing tool for the user.

Before creating the tool, FixIt! allowed us to review the script, so that we could add or edit commands manually if we needed to.

guide_script

Figure 27. The resulting script

Optimizing

Although the script above is fully functional and able to solve the issues it was created for, an advanced FixIt! user can still optimize it, either when selecting actions or when reviewing the script.

What we found:

Logically, the proc-kill commands should be placed in the script first, because all commands but the -inspect ones are run in the order of the script, and we have to kill the trojan’s processes before we can cure the computer.

When run, the cure-file and ark-disinfect commands kill the corresponding processes and remove startup elements, that is, all the other commands that do the same with the same objects can be safely removed from the script.

The cure-file and ark-disinfect commands give essentially the same results when applied to the same object. In our case, some objects were detected both as Signature detections and Files, so that two kinds of actions could be applied to them, which we did before checking thoroughly whether it was necessary.

When we deleted all redundant commands from the script, it looked like this:

guide_script_optimized

Figure 28. The optimized script

By pressing Create once again we generated the final version of our FixIt! curing tool and sent it to the user.

Result

After the user run the tool, we used the Compare reports feature to compare the resulting report with the previous one and made sure nothing suspicious was left on the affected computer.