Windows Defender detected Trojan:Win32/Nymaim

When I checked a Windows 10 system to ensure that the Windows 7 backup program that is scheduled to perform weekly backups of the system was functioning properly, I found that the last successful backup occurred on November 11, 2018. When I clicked on "More information" to determine the cause of the weekly backups failing, I saw the message "Operation did not complete successfully because the file contains a virus or potentially unwanted software." So I opened the Windows Security application by clicking on the Windows Start button, then selecting Settings, then Update & Security, then Windows Security. I then clicked on Virus & threat protection and selected Protection history, which showed an entry of "Remediation incomplete" for the backup that ran on February 16, 2020. The issue encountered was listed as "servere." I clicked on the downward-pointing arrowhead next to "severe" which showed the following for the malware detected:

Threat detected:Trojan:Win32/Nymaim
Alert level:Severe
Date:2/16/2020 10:46 PM
Category:Trojan
Details:This program is dangerous and executes commands from an attacker.

The affected item is listed below:

file: \Device\HarddiskVolumeShadowCopy23\ProgramData\doublers-8\doublers-22.exe

Windows Defender detected 
Trojan:Win32/Nymaim

I opened a command prompt window with administrator privileges and saw that the C:\ProgramData\doublers-8 directory containing the trojan appeared to have been created on May 26, 2018.

C:\ProgramData>dir /ad doublers-8
 Volume in drive C is OS
 Volume Serial Number is 4445-F6ED

 Directory of C:\ProgramData\doublers-8

05/26/2018  01:04 AM    <DIR>          .
05/26/2018  01:04 AM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)  849,119,535,104 bytes free

C:\ProgramData>dir /s doublers-8
 Volume in drive C is OS
 Volume Serial Number is 4445-F6ED

 Directory of C:\ProgramData\doublers-8

05/26/2018  01:04 AM    <DIR>          .
05/26/2018  01:04 AM    <DIR>          ..
04/06/2018  09:37 PM           749,568 doublers-22.exe
               1 File(s)        749,568 bytes

     Total Files Listed:
               1 File(s)        749,568 bytes
               2 Dir(s)  849,119,477,760 bytes free

C:\ProgramData>

I turned off Windows Defender real-time protection feature temporarily so I could copy the malware to another system for later analysis and upload it to Google's VirusTotal service which will scan uploaded files with multiple antivirus products. VirusTotal reported that 53 of the 71 antivirus programs with which it scanned the uploaded doublers-22.exe file reported it as malware (PDF, online). Details on the malware provided by VirusTotal are shown below - PDF of details and online details.

MD5c0349f7e5f29303b590e2ec3e4ce565c
SHA-195d5f0bb8482dca21b3b2033a58f3074235fab6d
SHA-256a3e958b079fa5cb46121dcf3afb552cd2fddb00360a659a31bc3d61366972c2f
Vhash0750365d7810a2z13z11nzbfz
Authentihash5b61e952e01c3c2ed665ddf3a9956a89170806052d92677354a1b0787b5eaa65
Imphashd9663130003e6fb29c10fccaf129c56c
SSDEEP12288:JBi8CTxHXOJDxFN7dMLbMpmHVQz5E0JsZrMGI3l4Izj3zp1zeDsI+Klq:CDXS/NRMLbMp+O+UsuGul4Gjjp16+K
File typeWin32 EXE
MagicPE32 executable for MS Windows (GUI) Intel 80386 32-bit
File size732.00 KB (749568 bytes)

The file doublers-22.exe can be downloaded for analysis - use a userid of zoo and a password of malware to download the file, which will likely reqiure any antivirus software on the system on which the file is being downloaded is temporarily disabled.

I opened the Registry Editor and searched for doublers.exe, but did not find any references to it in the Windows registry. I deleted the doublers-8 directory and the doublers-22.exe file from the command prompt. I then turned Windows Defender's real-time protection capability back on and started another backup.

Related articles:

  1. Turning off Windows Defender Temporarily