Author Topic: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning  (Read 3439 times)

0 Members and 1 Guest are viewing this topic.

Offline lady777

  • Newbie
  • *
  • Posts: 9
Hello! I hope someone can help me. Avast has found and removed the same malware 3 times. It is being moved to the chest but keeps returning. A screenshot of the virus is attached. I was not able to find anything online about "camoca mosim". Most topics regarding VBS downloader are old or require me to download premium software. Any help or guidance would be appreciated! Thank you.

https://ibb.co/T209SXx
« Last Edit: August 02, 2020, 08:37:11 PM by lady777 »

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2290
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #1 on: August 03, 2020, 04:25:28 PM »
Hello,
this look like some random name. Can you post sha25 of the file in virus chest or send the file to Virustotal and post the link of the scan result, please?

Milos

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #2 on: August 03, 2020, 06:35:35 PM »
In addition, can you please run these scans? https://forum.avast.com/index.php?topic=194892.0
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline lady777

  • Newbie
  • *
  • Posts: 9
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #3 on: August 03, 2020, 09:27:13 PM »
Thanks for the responses! Forgive my ignorance, how do I create a "sha25" of the file? In the virus chest, I see an extract option. (Image attached of my virus chest with the options I see). Is this what you mean?  I hesitated to do that just in case that is not what you meant. And then if that is the case, I then go to virustotal and scan the file, posting results here? Thanks for the help!  :D

https://gofile.io/d/RFPcdo


Offline lady777

  • Newbie
  • *
  • Posts: 9
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #4 on: August 03, 2020, 09:28:51 PM »
As an FYI, I did "send the file" to Avast for analysis already. There wasn't an option to send it anywhere else when you click "send for analysis" .

Offline lady777

  • Newbie
  • *
  • Posts: 9
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #5 on: August 03, 2020, 10:25:19 PM »
Here are the MalwareBytes results. There were 40 finds, 3 of them malicious. I did go ahead and quarantine. The first scan I did not include a rootkit scan so I'm scanning again.  I did see the "camoca mosim" verbiage in these initial results. 

-Software Information-
Version: 4.1.2.73
Components Version: 1.0.990
Update Package Version: 1.0.27887
License: Trial

-System Information-
OS: Windows 10 (Build 18362.959)
CPU: x64
File System: NTFS

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 343194
Threats Detected: 40
Threats Quarantined: 40
Time Elapsed: 16 min, 25 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 5
PUP.Optional.InstallCore, HKU\S-1-5-21-1723383654-43535822-1689055409-1001\SOFTWARE\CSASTATS\ic, Quarantined, 504, 586068, 1.0.27887, , ame,
Adware.WinYahoo.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{83033A57-B072-4BE1-819F-7FA1C2374C30}, Quarantined, 6519, 512672, , , ,
Adware.WinYahoo.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{83033A57-B072-4BE1-819F-7FA1C2374C30}, Quarantined, 6519, 512672, , , ,
Adware.WinYahoo.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Camoco Mosim, Quarantined, 6519, 512672, 1.0.27887, , ame,
PUP.Optional.WinYahoo.TskLnk, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{5ED6B616-0E56-6796-BFD6-17166F56C496}, Quarantined, 897, 542290, , , ,

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 4
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\USERS\LCOUL\APPDATA\LOCAL\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}, Quarantined, 897, 542290, 1.0.27887, , ame,
PUP.Optional.MySearchDial, C:\USERS\LCOUL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, Quarantined, 115, 663899, , , ,
PUP.Optional.Conduit, C:\USERS\LCOUL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, Quarantined, 193, 454832, , , ,

File: 31
PUP.Optional.WinYahoo, C:\WINDOWS\TASKS\Yahoo! Powered conol.job, Quarantined, 240, 308966, 1.0.27887, , ame,
PUP.Optional.WinYahoo.TskLnk, C:\PROGRAMDATA\Microsoft\Windows\Start Menu\Programs\HowToRemove.lnk, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\USERS\LCOUL\APPDATA\LOCAL\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HOWTOREMOVE\HOWTOREMOVE.HTML, Quarantined, 897, 542290, 1.0.27887, , ame,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\chromium-min.jpg, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\control panel-min-min.JPG, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\down.png, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\ff menu.JPG, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\ff search engine-min.png, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\hp-min ff.png, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\hp-min ie.png, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\search engine.gif, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\setup pages.gif, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\sp-min.png, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\start-min.jpg, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\up.png, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\lanatino, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\lelinice, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\uninst.exe, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local\{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\uninstp.dat, Quarantined, 897, 542290, , , ,
PUP.Optional.AuslogicsDiskDefrag, C:\USERS\LCOUL\DESKTOP\BOOK OF LIFE\DISK-DEFRAG-SETUP.EXE, Quarantined, 3516, 353217, 1.0.27887, , ame,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\010036.ldb, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\010038.log, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\010039.ldb, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-002896, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\USERS\LCOUL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 115, 663899, 1.0.27887, , ame,
PUP.Optional.Conduit, C:\USERS\LCOUL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 193, 454832, 1.0.27887, , ame,

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #6 on: August 03, 2020, 10:49:17 PM »
Nothing in the MBAM logs indicates a VBS infection, just some PUA/PUPs. From the same instructions, can you run Farbar Recovery Scan Tool (FRST)?

As for hashing a file - In a powershell prompt (Hit the Windows Button, and type "Windows Powershell", right click and run as Administrator).

Type the following command, exactly as written: Get-FileHash 'C:\Windows\System32\Tasks\Camoca Masim' -Algorithm SHA256

Edit: Rather then have you play around in powershell (not recommended), post the VirusTotal results, they will give us the hash.
« Last Edit: August 03, 2020, 10:50:59 PM by Michael (alan1998) »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline lady777

  • Newbie
  • *
  • Posts: 9
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #7 on: August 03, 2020, 11:10:01 PM »
Thank you for your time! That's weird. The results before I quarantined and exported results showed 3 malicious files were found and the rest were PUPs. Are you referring to https://www.virustotal.com/? What file would I be submitting to them?

I am comfortable using powershell unless you feel this would reactivate any virus issues.

I did complete another Malwayrebytes scan with root kit selected and zero issues were found.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37475
  • Not a avast user
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #8 on: August 03, 2020, 11:13:46 PM »
Quote
What file would I be submitting to them?
C:\Windows\System32\Tasks\Camoca Masim

post link to scan result here



Offline lady777

  • Newbie
  • *
  • Posts: 9
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #9 on: August 03, 2020, 11:39:36 PM »
Here are the Farbar scan results - attached.

Offline lady777

  • Newbie
  • *
  • Posts: 9
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #10 on: August 03, 2020, 11:42:11 PM »
I used the link you gave me, that also matches what my avast showed but that file cannot be found, maybe because it was quarantined?


What file would I be submitting to them?
C:\Windows\System32\Tasks\Camoca Masim

post link to scan result here

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37475
  • Not a avast user
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #11 on: August 04, 2020, 12:06:00 AM »
Quote
I used the link you gave me, that also matches what my avast showed but that file cannot be found, maybe because it was quarantined?
That may be it, but you said in your first post " It is being moved to the chest but keeps returning"
maybe malwarebytes got it?


Anyway, @Sass Drake will check your attached logs when he is online



Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #12 on: August 04, 2020, 01:13:15 AM »
Ah - I'm blind. Malwarebytes removed the threat that Avast! is complaining about. Detected as Adware, not a VBS Downloader.

Quote
Adware.WinYahoo.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Camoco Mosim, Quarantined, 6519, 512672, 1.0.27887, , ame,

Updates/Uninstall Apps (Acrobat is in Version 17.011.X):
Code: [Select]
(Adobe Systems Inc.) [File not signed] C:\Program Files (x86)\Adobe\Acrobat 6.0\Distillr\acrotray.exe
(Safer-Networking Ltd. -> Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe ([b]Remove - Outdated Application[/b])

Sass Drake will need to double check your logs, but mrt.exe shouldn't be blocked on a typical system.
Code: [Select]
Task: {170FC629-E5C7-4297-B4B7-091F09138452} - System32\Tasks\nelicil\{7518481C-EF1F-6C31-85F6-06EACB1AC84E} => C:\Users\lcoul\AppData\Roaming\751848~1\nelicil.exe <==== ATTENTION
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline lady777

  • Newbie
  • *
  • Posts: 9
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #13 on: August 05, 2020, 01:14:38 AM »
Thanks so much guys for the help! It does appear that MalwareBytes got it, assuming it doesn't come back again like it did in Avast.  So I guess it's not as harmful as an actual VBS downloader, that's good news! 


Let me know what I should do about this part in quotes below.  I'm not sure what this is for. I use Spybot Search & Destroy, possibly blocking the mrt.exe file? I do recognize the HKLM from some Spybot scan results in the past.

"Task: {170FC629-E5C7-4297-B4B7-091F09138452} - System32\Tasks\nelicil\{7518481C-EF1F-6C31-85F6-06EACB1AC84E} => C:\Users\lcoul\AppData\Roaming\751848~1\nelicil.exe <==== ATTENTION
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION"

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Malware VBS Downloader Camoca Mosim in System32 Keeps Returning
« Reply #14 on: August 05, 2020, 06:47:24 PM »
Thanks so much guys for the help! It does appear that MalwareBytes got it, assuming it doesn't come back again like it did in Avast.  So I guess it's not as harmful as an actual VBS downloader, that's good news! 


Let me know what I should do about this part in quotes below.  I'm not sure what this is for. I use Spybot Search & Destroy, possibly blocking the mrt.exe file? I do recognize the HKLM from some Spybot scan results in the past.

"Task: {170FC629-E5C7-4297-B4B7-091F09138452} - System32\Tasks\nelicil\{7518481C-EF1F-6C31-85F6-06EACB1AC84E} => C:\Users\lcoul\AppData\Roaming\751848~1\nelicil.exe <==== ATTENTION
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION"

I've sent this thread to Sass drake for review, not sure if he never saw it or what.. Whilst you wait,

Code: [Select]
VirusTotal: C:\Users\lcoul\AppData\Roaming\751848~1\nelicil.exe

Save that to a file called "fixlist" with the TXT extension. Place the file in the same directory as the FRST executable. Open the FRST executable and press "fix". It will run and save a new file with the results. Please upload that file here.
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.