How much can a Trojan do in 15 seconds?

[Princess]

Long story short, I wasn't vary today and downloaded a jpeg that came bundled with a nice side-helping of the Sabsik.FL.B!ml Trojan virus. 
Windows Defender noticed it within 10 seconds, quarantined and removed it. 
How much could it have done in that timeframe? 

What steps should I take now to secure my privacy (passwords, identity), IP address and... well, whatever else it might have done?

[Alder Lake]

5 minutes ago, Princess said:

Long story short, I wasn't vary today and downloaded a jpeg that came bundled with a nice side-helping of the Sabsik.FL.B!ml Trojan virus. 
Windows Defender noticed it within 10 seconds, quarantined and removed it. 
How much could it have done in that timeframe? 

What steps should I take now to secure my privacy (passwords, identity), IP address and... well, whatever else it might have done?

I'm already coming

 

in honesty though, I would just use some free antivirus checker like malwarebytes to see

[Allan B]

it is possible the virus is still there and will come back when you reboot.  Are you a full admin with UAT disabled?   I found this site which has some info https://applefixes.com/threat-encyclopedia/trojanwin32-sabsik-fl-bml/

 

If you have critical data on that machine i would shut it down, put the HDD in another computer as a secondary and copy your files off just incase it is encrypting all your data. (possibly too late by now)..

 

[Princess]

3 minutes ago, Allan B said:

it is possible the virus is still there and will come back when you reboot.  Are you a full admin with UAT disabled?   I found this site which has some info https://applefixes.com/threat-encyclopedia/trojanwin32-sabsik-fl-bml/

 

If you have critical data on that machine i would shut it down, put the HDD in another computer as a secondary and copy your files off just incase it is encrypting all your data. (possibly too late by now)..

 

Luckily, I've got all my data backed up on a separate SSD that wasn't connected when the virus got installed. I'm not worried about losing data, I'm worried about how much information they could have gotten. 

 

How do I disable UAT? 

 

 

 

[Eighjan]

9 minutes ago, Princess said:

Luckily, I've got all my data backed up on a separate SSD that wasn't connected when the virus got installed. I'm not worried about losing data, I'm worried about how much information they could have gotten. 

 

How do I disable UAT?

Run something like Spybot - Search & Destroy (my weapon of choice) in SAFE MODE, without networking to minimise the possibility of it finding somewhere to hide...

[BobVonBob]

If all you did was download the file and it was detected before you opened it, then it didn't do anything. If it was detected while you were opening it, then it probably didn't do anything. If it was detected after it had opened and run, there's no way of knowing what it did during that time.

[samcool55]

I had something similar not too long ago.

In my case the JPEG actually ran a CMD through a VBS and downloaded a RAT, my guess is that your Defender saw either the VBS or the CMD command and threw the thing in the trash.

 

So, very likely they have nothing because the actual dangerous thing, the RAT, was never on your system.

They might have your IP, but that in itself is not that useful for the hacker. Usually the people doing those things are hoping the RAT works, take control of your system and try to steal passwords or empty your paypal account. At least that is what the asshole that hacked my computer with a RAT tried.

[Princess]

16 minutes ago, BobVonBob said:

If all you did was download the file and it was detected before you opened it, then it didn't do anything. If it was detected while you were opening it, then it probably didn't do anything. If it was detected after it had opened and run, there's no way of knowing what it did during that time.

 

12 minutes ago, samcool55 said:

I had something similar not too long ago.

In my case the JPEG actually ran a CMD through a VBS and downloaded a RAT, my guess is that your Defender saw either the VBS or the CMD command and threw the thing in the trash.

 

So, very likely they have nothing because the actual dangerous thing, the RAT, was never on your system.

They might have your IP, but that in itself is not that useful for the hacker. Usually the people doing those things are hoping the RAT works, take control of your system and try to steal passwords or empty your paypal account. At least that is what the asshole that hacked my computer with a RAT tried.

Yeah, I'll admit that I wasn't exactly sober (Cider night :(( ) and when opening the .jpeg, it asked me for permission to run the file. Didn't really think about it, but then I realized. It'd been on there for about 20 seconds. 
EDIT: Yes, that means the program was installed. Windows Defender, immediately upon its installation, started screaming at me, but it was installed for a handful of seconds.

 

I'm assuming I should go and change all my passwords. Everything important has 2FA, which should take a bit of time to get through, if they do. 

I just wanna make sure to remove it completely before I go and change anything. Defender has properly quarantined it, I think, but I'm still running a Defender full scan + Malwarebytes full scan simultaneously. That should definitely weed it out, yes? 

 

[RockSolid1106]

3 minutes ago, Princess said:

 

I'm assuming I should go and change all my passwords. Everything important has 2FA, which should take a bit of time to get through, if they do. 

I just wanna make sure to remove it completely before I go and change anything. Defender has properly quarantined it, I think, but I'm still running a Defender full scan + Malwarebytes full scan simultaneously. That should definitely weed it out, yes? 

I'd rather recommend a full windows reinstall. You never know.

[mariushm]

If the antivirus detected it, chances are it was never executed so your computer is safe.

 

Basically, a modern antivirus no longer relies on just "fingerprints" or "signatures" to detect if a file is a virus. They also run "virtual computers" where they load the file in memory in that virtual computer and launch it and look at the inputs and outputs to detect if the file is malicious. 

Because of this, it could be that for some files, the antivirus may take a more than a second or two to determine if the file is a virus or not - and in the meantime, the file should not actually run on your real computer - until the antivirus reported the file as a virus, the file was in limbo, it didn't actually run on your computer.

 

Another scenario is possible.  The fake picture you downloaded wasn't the virus, but actually a small dropper - an application that just downloads the actual virus from somewhere, maybe as an encrypted archive, and then decrypt the archive and save the program somewhere and make a "start this application next time computer starts" entry or launches that program right after it's downloaded.

 

So maybe your antivirus allowed the dropper to be installed on your computer and even let you run the application, because just by itself, it's not something that harms your computer - it's just a small application that tries to download a file and run it.

A few seconds or 10 seconds later when the application managed to download the virus and attempted to run it, only then the antivirus analyzed the download and blocked that as a virus.  Then, mostly likely after the block, the antivirus deleted the downloaded (malicious) file, leaving just the original dropper (downloader) on your computer.

 

In the future, if you download something from debatable sites, make a habit out of uploading the file to  VirusTotal - Home

 - it will scan the file with lots of antiviruses and you'll be able to determine if the file is bad or not (ex. if 5 antiviruses say file is bad, but 30 antiviruses say it's good, chances are those 5 antiviruses are wrong)

 

[Allan B]

1 hour ago, Princess said:

How do I disable UAT? 

 

 

 

You don't want to disable it, it is a layer of protection, if you are opening something that needs admin access that should not (like viewing a picture), you need to click "no".

[Mark Kaine]

UAC (i suppose that's what has been talked  about?) was the thing that asked you for permission,  even if this time you made a mistake by allowing a random file to be executed i would not recommend to turn off UAC, like ever .

 

[Princess]

1 hour ago, mariushm said:

If the antivirus detected it, chances are it was never executed so your computer is safe.

 

Basically, a modern antivirus no longer relies on just "fingerprints" or "signatures" to detect if a file is a virus. They also run "virtual computers" where they load the file in memory in that virtual computer and launch it and look at the inputs and outputs to detect if the file is malicious. 

Because of this, it could be that for some files, the antivirus may take a more than a second or two to determine if the file is a virus or not - and in the meantime, the file should not actually run on your real computer - until the antivirus reported the file as a virus, the file was in limbo, it didn't actually run on your computer.

 

Another scenario is possible.  The fake picture you downloaded wasn't the virus, but actually a small dropper - an application that just downloads the actual virus from somewhere, maybe as an encrypted archive, and then decrypt the archive and save the program somewhere and make a "start this application next time computer starts" entry or launches that program right after it's downloaded.

 

So maybe your antivirus allowed the dropper to be installed on your computer and even let you run the application, because just by itself, it's not something that harms your computer - it's just a small application that tries to download a file and run it.

A few seconds or 10 seconds later when the application managed to download the virus and attempted to run it, only then the antivirus analyzed the download and blocked that as a virus.  Then, mostly likely after the block, the antivirus deleted the downloaded (malicious) file, leaving just the original dropper (downloader) on your computer.

 

In the future, if you download something from debatable sites, make a habit out of uploading the file to  VirusTotal - Home

 - it will scan the file with lots of antiviruses and you'll be able to determine if the file is bad or not (ex. if 5 antiviruses say file is bad, but 30 antiviruses say it's good, chances are those 5 antiviruses are wrong)

 

As it turns out, Windows Defender, after a full scan, found the same Trojan again. Specifically, it was in some AppData folder, something with INet? I can't exactly figure it out. 
It's been there for at least an hour. That is how long the scan took. 

 

Right now, I'm in Safe Mode with Networking, scanning with Malwarebytes scanning happening. Am I safe to try and reset all my passwords now? Or should I wait for it to finish, and then do it? 

Please, if you can offer any advice for how to remedy the situation and save my personal information, I would really appreciate it. 

[mariushm]

18 minutes ago, Princess said:

As it turns out, Windows Defender, after a full scan, found the same Trojan again. Specifically, it was in some AppData folder, something with INet? I can't exactly figure it out. 
It's been there for at least an hour. That is how long the scan took. 

Just because file was there, it doesn't necessarily mean that trojan or virus managed to actually run or do anything bad. 

 

Could be something like this :  the malicious application wrote the file in that folder, tried to launch it and antivirus intercepted it and blocked the launch, but then antivirus failed to erase the file from that folder... so the virus file just remained in that folder. 

 

Could be there was a registry entry or something that programmed Windows to launch the virus next time Windows standards, but again, the antivirus would have intercepted the launch and block the launch and attempt to remove the file again.

 

So all this time, the virus didn't actually run in order to do anything bad to your computer.

 

These days, trojans if successfully manage to infect a computer, will mostly scan  browser folders (firefox, chrome etc) to get cookies and cached passwords, then scan for outlook and thunderbird and other email client passwords, other product keys from registry, then maybe implement some sort of keylogger, an application running in background to log when you login to steam , paypal, crypto sites etc etc

 

 

[Princess]

25 minutes ago, mariushm said:

Just because file was there, it doesn't necessarily mean that trojan or virus managed to actually run or do anything bad. 

 

Could be something like this :  the malicious application wrote the file in that folder, tried to launch it and antivirus intercepted it and blocked the launch, but then antivirus failed to erase the file from that folder... so the virus file just remained in that folder. 

 

Could be there was a registry entry or something that programmed Windows to launch the virus next time Windows standards, but again, the antivirus would have intercepted the launch and block the launch and attempt to remove the file again.

 

So all this time, the virus didn't actually run in order to do anything bad to your computer.

 

These days, trojans if successfully manage to infect a computer, will mostly scan  browser folders (firefox, chrome etc) to get cookies and cached passwords, then scan for outlook and thunderbird and other email client passwords, other product keys from registry, then maybe implement some sort of keylogger, an application running in background to log when you login to steam , paypal, crypto sites etc etc

 

 

Right! Thanks! And, just in case it DID run (which, again, I think it might've, considering I also pressed an .exe file and said Yes to it running. Defender only caught it 10 seconds later.) 

How do I detect a keylogger? Do I have no other options than a full reinstall? Would even that not work, is it a Ring 0 program? Can it get on the motherboard itself? 
Secondly, about the application running in the background to log when I login: how do I detect/remove that? 

[Mark Kaine]

As for now all you can do is malwarebytes  scan and maybe again a defender scan..  i mean it removed the file now, right, so it shouldn't reappear. 

 

As for what you could do, besides a fresh windows install  *if* this file did something (however unlikely) depends on what it actually is and if it's known. 

 

How is the file called, and maybe website (name) where you downloaded it...  it would be relatively simple to run a virustotal check to see if it's  known threat. 

 

 

[Mark Kaine]

4 hours ago, Princess said:

Sabsik.FL.B!ml Trojan

Ah so we know the name...

 

https://www.virustotal.com/gui/file/ae4d46e3c772093c5ad9ee27e412f11e6be6923a1efeca80b1dba5d1fef8f62e/detection

 

 

Also check "behavior" you could also check if it made registry entries... (as mention on virustotal,  this thing actually disguises as svchost exe, a windows system process, kinda nasty, hah)

 

 

But given DEFENDER recognized it, i don't think it did anything,  as already said 10 seconds means nothing that would just be the time it takes defender to check the file...  

 

 

Also GOOD NEWS, this is a bitcoin miner, I think it's not interested in your personal data and more in your actual hardware and its mining capabilities!

 

 

 

Tldr: i think if neither malwarebytes nor defender find it again your probably safe. 

 

[Princess]

9 minutes ago, Mark Kaine said:

Ah so we know the name...

 

https://www.virustotal.com/gui/file/ae4d46e3c772093c5ad9ee27e412f11e6be6923a1efeca80b1dba5d1fef8f62e/detection

 

 

Also check "behavior" you could also check if it made registry entries...

 

 

But given DEFENDER recognized it, i don't think it did anything,  as already said 10 seconds means nothing that would just be the time it takes defender to check the file...  

 

 

Also GOOD NEWS, this is a bitcoin miner, I think it's not interested in your personal data and more in your actual hardware and its mining capabilities!

 

 

 

Tldr: i think if neither malware nor defender find it again your probably safe. 

 

How do I check behavior, and registry entries? Please help :(( 

[Mark Kaine]

Just now, Princess said:

How do I check behavior, and registry entries? Please help :(( 

I meant on the virustotal page... it gives you a good overview,  and also where to find the registry entries,  you could simply check if any of those were made - but DO NOT REMOVE OR CHANGE anything in the registry,  just check. If you find any of those entries take  screen shots and post them here.

 

But... first you should run malwarebytes scan... did it find anything? And also defender scan  - as I said it should not find it again... if it does that would be a problem  

 

[Princess]

1 minute ago, Mark Kaine said:

I meant on the virustotal page... it gives you a good overview,  and also where to find the registry entries,  you could simply check if any of those were made - but DO NOT REMOVE OR CHANGE anything in the registry,  just check. If you find any of those entries take  screen shots and post them here.

 

But... first you should run malwarebytes scan... did it find anything? And also defender scan  - as I said it should not find it again... if it does that would be a problem  

 

I am currently in Safe Mode with Networking. 
Defender's scan is not running. It stays at 0. 
However, Malwarebytes is up and running just fine. 

 

[Mark Kaine]

13 minutes ago, Princess said:

I am currently in Safe Mode with Networking. 
Defender's scan is not running. It stays at 0. 
However, Malwarebytes is up and running just fine. 

 

Ok, well let's hope it doesn't find anything.  Also you shouldn't run defender and malwarebytes at the same time, rather one after the other.

And did you check scan for rootkits? ... thats kinda important,  I have no idea why this isnt checked by default  (also obviously check all drives as mwb only scans the boot drive at default - for whatever reason...)

 

 

 

I have never used this in safe mode, I don't think it's necessary,  but it cant hurt either. 

 

 

[Princess]

8 minutes ago, Mark Kaine said:

I meant on the virustotal page... it gives you a good overview,  and also where to find the registry entries,  you could simply check if any of those were made - but DO NOT REMOVE OR CHANGE anything in the registry,  just check. If you find any of those entries take  screen shots and post them here.

 

But... first you should run malwarebytes scan... did it find anything? And also defender scan  - as I said it should not find it again... if it does that would be a problem  

 

Okay, so, initial digging into the registry shows no keys have been changed, pretty much. Still checking every single one of them, but they don't seem to be the values listed on the virustotal website. 
 

[Mark Kaine]

7 minutes ago, Princess said:

Okay, so, initial digging into the registry shows no keys have been changed, pretty much. Still checking every single one of them, but they don't seem to be the values listed on the virustotal website. 
 

Hmm, good. Honestly I understand why you're concerned - you clicked the yes thing  - but you probably shouldn't be, it's basically a double protection. 

So UAC asks you to run a program , you say "yes" (well oof...)

 

*Next* thing it says "virus found"...!

 

 

That's what happened right?

 

So then you would need to explicitly allow this "virus" to run (make an exception basically) and you didn't do that... 

 

 

Ergo,  no virus has been installed... (like 99.99999% likelihood...)

 

 

[Princess]

15 minutes ago, Mark Kaine said:

Hmm, good. Honestly I understand why you're concerned - you clicked the yes thing  - but you probably shouldn't be, it's basically a double protection. 

So UAC asks you to run a program , you say "yes" (well oof...)

 

*Next* thing it says "virus found"...!

 

 

That's what happened right?

 

So then you would need to explicitly allow this "virus" to run (make an exception basically) and you didn't do that... 

 

 

Ergo,  no virus has been installed... (like 99.99999% likelihood...)

 

 

These seem to line up. Both the simple values are exactly that. 
The long value is also identical. However, the key in my registry is about 20 times longer than that, there's a bunch more things. 

[Princess]

@Mark Kaine

 

This one is also identical. 
I'll keep looking.