Appendix A. Use Case

Here we will study how we can use Dr.Web FixIt! to find and neutralize the Trojan.AutoIt.289 hyper link malware on a user’s computer.

Problem description

A user was concerned they could not open the website of an anti-virus product to activate a trial version, for an unknown reason.

We will use Dr.Web FixIt! to look into the issue.

Solution

As usual, we will start with our standard preparation steps. We should:

create a task,

generate an analyzing tool,

send a tool to the user,

upload a system state report.

Since those steps are always the same and simple, we will not detail them here. You can read more about them in the relevant sections.

Working with a report

We will start the main work once we receive the computer status report. At first, we will analyze a report using widgets. At the Widgets tab, we can see that the Dangerous widget is triggered.

Figure 18. Analyzing a report using widgets

Figure 18. Analyzing a report using widgets

Let’s click Details at the bottom of the widget to see all triggered filters. What immediately catches the eye in the filter list is the Trojan.AutoIt.289 filter, which outputs all files, processes and startup items compromised by the Trojan. When expanding the result table for Trojan.AutoIt.289, we will see the file C:\ProgramData\RealtekHD\taskhostw.exe, the signature move of Trojan.AutoIt.289. As soon as we saw it, we knew that the user’s computer was infected by this trojan. Moreover, the result table shows the widely known malicious library, xmrig-cuda.dll:

Figure 19. The Trojan.AutoIt.289 filter

Figure 19. The Trojan.AutoIt.289 filter

All we have to do next is to select an action for each object found with the filter and create a curing tool.

Selecting an action to handle malicious objects

We will start by closing all filters except Trojan.AutoIt.289, as they are not needed. To do this, we will click close_circle next to each filter. Then, we need to choose appropriate actions for the objects found by the Trojan.AutoIt.289 filter. Different object types support different actions. To start choosing actions for each type, we should select checkboxes for all objects on the table. To do this, we will select the top checkbox in the first column; then, we will proceed to the next page of the table and repeat this process there. Note that we can only select objects to which actions can be assigned (e.g. there are no actions available for Loaded modules).

Next, in the Type drop-down above the object list we will choose the object types and the related actions that a curing FixIt! tool is required to perform.

For the Processes type, we will choose Kill as shown below.

Figure 20. Selecting actions

Figure 20. Selecting actions

Then, we will do the same for other object types: for Registry startups and Files types, we will choose the Disinfect action, for Signature detections — Cure, and for the Services, Accounts, and Scheduled tasks types — Delete.

You can view the selected actions on the Selected actions tab.

Figure 21. Selected actions

Figure 21. Selected actions

Creating a curing tool

When we make sure that all required actions are properly saved, we will click Create to generate a curing tool for the user.

Before building a tool, you can review the generated script and add the commands manually if needed.

Figure 22. The resulting script

Figure 22. The resulting script

Although the script above is fully functional and able to solve the issues it was generated for, we can still optimize it, either when selecting actions or reviewing the script.

What we can see:

When run, the cure-file and ark-disinfect commands kill the corresponding processes and remove startup elements, that is, all the other commands that do the same with the same objects can be safely removed from the script. That means that we can remove the proc-kill commands from the script.

The cure-file and ark-disinfect commands give essentially the same results when applied to the same object. In our case, some objects were detected both as Signature detections and Files, so that two kinds of actions could be applied to them, which we did before checking thoroughly whether it was necessary.

When we’ve deleted the redundant commands from the script, it will be as follows.

Figure 23. The optimized script

Figure 23. The optimized script

By pressing Create once again we will generate the final version of our FixIt! curing tool and send it to the user.

Result

After the user run the tool, we used the Compare reports feature to compare the resulting report with the previous one and made sure nothing suspicious was left on the affected computer.