When I checked a Windows 10 system to ensure that the Windows 7 backup program that is scheduled to perform weekly backups of the system was functioning properly, I found that the last successful backup occurred on November 11, 2018. When I clicked on "More information" to determine the cause of the weekly backups failing, I saw the message "Operation did not complete successfully because the file contains a virus or potentially unwanted software." So I opened the Windows Security application by clicking on the Windows Start button, then selecting Settings, then Update & Security, then Windows Security. I then clicked on Virus & threat protection and selected Protection history, which showed an entry of "Remediation incomplete" for the backup that ran on February 16, 2020. The issue encountered was listed as "servere." I clicked on the downward-pointing arrowhead next to "severe" which showed the following for the malware detected:
| Threat detected: | Trojan:Win32/Nymaim |
| Alert level: | Severe |
| Date: | 2/16/2020 10:46 PM |
| Category: | Trojan |
| Details: | This program is dangerous and executes commands from an attacker. |
The affected item is listed below:
file: \Device\HarddiskVolumeShadowCopy23\ProgramData\doublers-8\doublers-22.exe
I opened a command prompt window with administrator privileges and saw that the C:\ProgramData\doublers-8 directory containing the trojan appeared to have been created on May 26, 2018.
C:\ProgramData>dir /ad doublers-8
Volume in drive C is OS
Volume Serial Number is 4445-F6ED
Directory of C:\ProgramData\doublers-8
05/26/2018 01:04 AM <DIR> .
05/26/2018 01:04 AM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 849,119,535,104 bytes free
C:\ProgramData>dir /s doublers-8
Volume in drive C is OS
Volume Serial Number is 4445-F6ED
Directory of C:\ProgramData\doublers-8
05/26/2018 01:04 AM <DIR> .
05/26/2018 01:04 AM <DIR> ..
04/06/2018 09:37 PM 749,568 doublers-22.exe
1 File(s) 749,568 bytes
Total Files Listed:
1 File(s) 749,568 bytes
2 Dir(s) 849,119,477,760 bytes free
C:\ProgramData>I turned off Windows
Defender real-time protection feature temporarily so I could copy the
malware to another system for later analysis and upload it to Google's
VirusTotal service which will scan
uploaded files with multiple antivirus products. VirusTotal reported that
53 of the 71 antivirus programs with which it scanned the uploaded
doublers-22.exe file reported it as malware
(PDF,
online). Details on the malware
provided by VirusTotal are shown below -
PDF of details and
online details.
| MD5 | c0349f7e5f29303b590e2ec3e4ce565c |
| SHA-1 | 95d5f0bb8482dca21b3b2033a58f3074235fab6d |
| SHA-256 | a3e958b079fa5cb46121dcf3afb552cd2fddb00360a659a31bc3d61366972c2f |
| Vhash | 0750365d7810a2z13z11nzbfz |
| Authentihash | 5b61e952e01c3c2ed665ddf3a9956a89170806052d92677354a1b0787b5eaa65 |
| Imphash | d9663130003e6fb29c10fccaf129c56c |
| SSDEEP | 12288:JBi8CTxHXOJDxFN7dMLbMpmHVQz5E0JsZrMGI3l4Izj3zp1zeDsI+Klq:CDXS/NRMLbMp+O+UsuGul4Gjjp16+K |
| File type | Win32 EXE |
| Magic | PE32 executable for MS Windows (GUI) Intel 80386 32-bit |
| File size | 732.00 KB (749568 bytes) |
The file doublers-22.exe can be downloaded for analysis - use a userid of zoo and a password of malware to download the file, which will likely reqiure any antivirus software on the system on which the file is being downloaded is temporarily disabled.
I opened the
Registry
Editor and searched for doublers.exe,
but did not find any references to it in the
Windows
registry. I deleted the doublers-8 directory and
the doublers-22.exe file from the command prompt. I then turned
Windows Defender's real-time protection capability back on and started
another backup.
Related articles: