RECYCLER.BIN Virus in a Third World Country

Recently, I reached out to this community who, needless to say, were fantastic in helping me (by helping, I mean you guys literally made it for me, so thank you) devise a way to autoscan USBs on installation/plugging in (link below).

Looking for general antivirus advice in a third world country

To rehash I work in a Third World Country assisting their government (mainly Police) with western infrastructure, mainly IT and other modern equipment, most/all of this comes from my government's foreign aid budget. They have no internet connection (usually).

There was a major issues a few months back where every computer I came across was riddled with viruses (record was 45 on one system) Problem fixed and the AutoScan that this community basically made for me works like a treat.

So as the community recommended I have constructed a "sheep dip" out of an old SurfacePro that functions as an AutoScan computer, plug in the USB and the BAT file/USBDeview will do the rest (basically my collogues can do that...... not much else LOL), I have apply named this system "The Virus Eliminator".

Now onto problem number 2, recovery of data on the USBs themselves. So I have grabbed a few USBs off the local guys and been running them through the scan, the scan will remove the viruses but I am still left with a USB that has had its root directory changed (RECYCLIER.BIN) so the information is way way way way down in about 15 sub folders which you will have to show hidden files and folders and show system files to reach. Some data is encrypted or, well I'm not actually sure what it is usually a file containing 300mb of gibberish files with no file extension, I opened one in notepad and it looks like script.

So Google pointed me towards the CMD lines of:
(X) being drive letter
The good old check disk with fix

ChkDsk X/f
&
attrib -h -r -s /s /d X:*.*

If I do that I can get to most of the files and start moving things back to the main directory but I am still left with about 600mb of who the DUCK knows of data that I just end up nuking because I don't know what it is or how to recover it so like an Irishman wearing two condoms I am "sure to be sure", deleting it.

I did locate a sneaky BAT file in all the garbage that the virus had put on the drive obviously I wont post it here because I might get into trouble but I am sure some expert could possibly tell me how to perhaps reverse it?

It contains 6 lines of script all starting with %comspec% 1 line pertaining to systeminfo 1 pertaining to ipconfig 1 pertaining to netstart 1 pertaining to arp -a and one pertaining to tasklist the 6th line of text is del %0

Has anyone had experience with the RECYCLIER.BIN virus? I would really like to have another BAT file that could reverse all this destruction or something simple that I can use, I am not going to be here much longer and once I leave I fear that nobody will give enough of a damn to bother trying to help these people.

Hi,

You can post the batch file, no problem, it's leftovers of one of the virus that infected the drives. it's certainly benign on it's own.

At first view it seem to gather system and network information, before attempting to delete itself.

But without knowing the exact commands, it's pretty difficult to evaluate what it could serve.

MaloK said:

Hi,

You can post the batch file, no problem, it's leftovers of one of the virus that infected the drives. it's certainly benign on it's own.

At first view it seem to gather system and network information, before attempting to delete itself.

But without knowing the exact commands, it's pretty difficult to evaluate what it could serve.

Thank you again MaloK!

Sorry for the late reply I didn't have the script on my work laptop so had to wait to get into the office to get a copy.

And I think you are 100% correct gather system info, get the IP address, use it, find open port, send info, then delete is that correct?

Ok script I found in a *.BAT files is as follows:

%comspec% /q /c systeminfo >D:\RECYCLER.BIN\AE66F62C162106BE\c3lzLmluZm8
%comspec% /q /c ipconfig /all >>D:\RECYCLER.BIN\AE66F62C162106BE\c3lzLmluZm8
%comspec% /q /c netstat -ano >>D:\RECYCLER.BIN\AE66F62C162106BE\c3lzLmluZm8
%comspec% /q /c arp -a >>D:\RECYCLER.BIN\AE66F62C162106BE\c3lzLmluZm8
%comspec% /q /c tasklist /v >>D:\RECYCLER.BIN\AE66F62C162106BE\c3lzLmluZm8
del %0

So what I'm finding is most of the USBs have been hijacked and the contents moved to a sub directory usually with no name on that folder, the RECYCLER.BIN file usually has anywhere from 300MB to 12GB of files in it. Am I correct in assuming it has encrypted the data on the USB and has hijacked it?

No Problem sir,

Good chances are that the content has been encrypted, But what I find elusive is that these viruses habitually leaves some traces that permits to identify them. From the Bat file you posted:

My first guess is the systems are infected with:

Backdoor.Win32.PLUGX.EYSGVM or Trojan:Win32/Plugx.AA!MTB. follow the guide there Backdoor.Win32.PLUGX.EYSGVM - Threat Encyclopedia to verify if its the case.

They often leave text files with instructions how to pay a ransom, to obtain decryption keys. etc...

You need to find something that will enable you to positively identify what virus is operating. You're best bet is to be able to put a name on that creep, there is possibly a remedy already existing.

Then you will be able to asses if the encryption used is reversible by brute force and develop a counter initiative.

Another point that is good to know, is nearly all these Viruses,when they encrypt data "without an active internet connection" will default to a buit-in encryption key.

These are often well know by Antivirus developers. And IF it's the case once identified, you have good chance to be able to use a third-party decryption tool to recover the data.

MaloK said:

No Problem sir,

Good chances are that the content has been encrypted, But what I find elusive is that these viruses habitually leaves some traces that permits to identify them. From the Bat file you posted:

My first guess is the systems are infected with:

Backdoor.Win32.PLUGX.EYSGVM or Trojan:Win32/Plugx.AA!MTB. follow the guide there Backdoor.Win32.PLUGX.EYSGVM - Threat Encyclopedia to verify if its the case.

They often leave text files with instructions how to pay a ransom, to obtain decryption keys. etc...

You need to find something that will enable you to positively identify what virus is operating. You're best bet is to be able to put a name on that creep, there is possibly a remedy already existing.

Then you will be able to asses if the encryption used is reversible by brute force and develop a counter initiative.

Another point that is good to know, is nearly all these Viruses, when they encrypt data "without an active internet connection" will default to a buit-in encryption key.

These are often well know by Antivirus developers. And IF it's the case once identified, you have good chance to be able to use a third-party decryption tool to recover the data.

MaloK, I bow at your feet oh exulted one!

You are correct, I should have manually eradiated the viruses rather than let the AutoScan nuke them before I got a chance to work out what they are. I will when I get to my office check and see if I can find the scan log from the last USB.

Last time I found a stash of viruses I did take names and chew bubblegum, resulting in me sending my boss a 15 page rant on the impossibility of the situation we find ourselves in.

So the viruses I was able to identify last time were the following (3 Trojans if I'm (or Google) is correct?):

CoinMiner.AQ
Lodbak.ink
Dynamer

They (or at least 1 was) were getting around in an executable called "HenrySuperJuniorPictures.exe", apparently its too irresistible for people not to double click on things that they do not know where they came from (smacks forehead).

All right what I will do is manually scan and identify the viruses then get back to you. See if we can reverse this carnage.

PS: Tried to give you more street cred (thank) MaloK but it wont let me, said I need to share it around a bit.

- - - Updated - - -

So I went through Windows Event Viewer and found the viruses that were ripped off the last USB I came across.

They are:

1:
Name: Trojan:Win32/Gemalind.A!rfn
ID: 2147746598
Severity: Severe
Category: Trojan
Path: file:_D:\Temp\USB3MON.exe
Detection Origin: Local machine
Detection Type: Concrete

2:
Name: Backdoor:Win32/Plugx!MTB
ID: 2147816293
Severity: Severe
Category: Backdoor
Path: file:_D:\Temp\RECYCLER.BIN\1\AvastAuth.dat; file:_D:\ \Temp\RECYCLER.BIN\1\AvastAuth.dat; file:_D:\ \Temp\ \Temp\RECYCLER.BIN\1\AvastAuth.dat; file:_D:\ \Temp\ \Temp\ \Temp\RECYCLER.BIN\1\AvastAuth.dat; file:_D:\ \Temp\ \Temp\ \Temp\ \Temp\RECYCLER.BIN\1\AvastAuth.dat; file:_D:\ \Temp\ \Temp\ \Temp\ \Temp\ \Temp\RECYCLER.BIN\1\AvastAuth.dat; file:_D:\ \Temp\ \Temp\ \Temp\ \Temp\ \Temp\ \Temp\RECYCLER.BIN\1\AvastAuth.dat
Detection Origin: Local machine
Detection Type: Concrete

3:
Name: Trojan:Win32/Korplug!MSR
ID: 2147752072
Severity: Severe
Category: Trojan
Path: file:_D:\Temp\RECYCLER.BIN\1\wsc.dll
Detection Origin: Local machine
Detection Type: Concrete

4:
Name: Trojan:JS/Obfuse!MSR
ID: 2147748627
Severity: Severe
Category: Trojan
Path: file:_D:\ \Files.js
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: User

5:
Name: Trojan:Win32/Sabsik.TE.B!ml
ID: 2147780201
Severity: Severe
Category: Trojan
Path: file:_D:\autorun.inf.exe; file:_D:\RECYCLER.BIN.exe; file:_D:\System Volume Information.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: User

I'm just about to start Googling to see what might be a solution.

McManny said:

MaloK, I bow at your feet oh exulted one!

Thanks... But don't bow too far... I wouldn't want to be the cause of superfluous backache

McManny said:

You are correct, I should have manually eradiated the viruses rather than let the AutoScan nuke them before I got a chance to work out what they are. I will when I get to my office check and see if I can find the scan log from the last USB.

It's understandable that when you are fending off a herd of zombies. One would not be inclined to historically document the fight as it is going on.

McManny said:

Last time I found a stash of viruses I did take names and chew bubblegum, resulting in me sending my boss a 15 page rant on the impossibility of the situation we find ourselves in.

I Giga-Sympathize with you... I been doing Corporate Security for more than 20 years including Surveillance, access and network security, I have a good idea the level of stress you ride up at the moment... You're in a situation that requires to pose actions that are thoroughly thought and there's the incertitude left, that no one or nothing can tell you if you are doing it right.

While Ranting seems a little of a waste of time, It has at least 2 positive effects.

1) Eye opener for one party,
2) Steam pressure release for the other.

And a good rant is always a pleasure to read. I'm sure your boss enjoyed it, but he probably wont tell you before a couple of Christmas parties.

McManny said:

So the viruses I was able to identify last time were the following (3 Trojans if I'm (or Google) is correct?):

CoinMiner.AQ
Lodbak.ink
Dynamer

They (or at least 1 was) were getting around in an executable called "HenrySuperJuniorPictures.exe", apparently its too irresistible for people not to double click on things that they do not know where they came from (smacks forehead).

All right what I will do is manually scan and identify the viruses then get back to you. See if we can reverse this carnage.

- - - Updated - - -

So I went through Windows Event Viewer and found the viruses that were ripped off the last USB I came across.

They are:

There's no apparent Crypto-Virus in the list you have at the moment. But 2 of the backdoor found could have served to implement any kind of payload.

In your list the virus #2: Win32/Plugx!MTB is the one that left the bat file you found.

Check the computers for "unknown"user profiles named for ex: AdminGG1 or AdminGG1.MachineName.

If existing, In these folders you have chances to find the hacking tools that where used, often including but not limited to.

NetScan
Download Master
Notepad ++
WinPcap or npCap
RDPSS
ShadowBroker-Master
TDSKiller
WinHide.SB
FRST
Unlocker
Lockout Status
Log parser
PHP and Python
all kinds of scripts

If any of these are dubious files are found Located in an "unknown" User profile, they certainly been used in a hijacking attempt.

In any case the perpetrator will start by completely disinfecting and clean the victim computers before installing their payload, this is done to ensure that there is no unwanted behaviour, that no variants of the one used could interfere and that there is no one or nothing else intervening on the machine at the same time.

So most of the time if you encounter a computer with an active hacker working on it... You will find very few viruses, in fact you might find only the one used to install the current payload.

Can you upload a small sample of an admittedly "Encrypted" file ? I can try to find out with what and how they been crippled.

In the meantime: Gather every scanner logs you can, give them a informative name that enable you to identify the computer affected from where they came from and put all these logs in a folder where you can do extensive searches.

Thank you MaloK, insightful as always.

I apologies for the late reply have been out in the sticks (boonies, bush, jungle, back of Bourke, AKA: middle of nowhere) for a few days, turbulent time here at the moment 😬.

Will do! Next encrypted file I get a hold of I will upload and hopefully you can work out what it is that's done it and how to reverse it if at all possible?

Your advice makes sense RE: checking for new user profiles as I have found that some of the profiles have become unusable or corrupted with a secondary "unnamed" user account popping up.

It does appear that this is a monumental task and something not easily reversed. I guess the quickest and easiest solution is scorched earth 🤷*♂️, well I guess it kept the Nazis from taking over the USSR but at what cost to the civilian population? In this case the data (loss of) being the civilian population.

I have as you say been so focused on fighting off the "zombie hoard" that I didn't bother to actually name names so to speak.

But now that we have at least constructed a protective perimeter, I should (by that I mean: ask you guys, LOL) probably start working out ways to counteract this. I have always been a proponent of preventative medicine and education.

The local phone company is stated to shortly be installing satellite internet, in most government buildings including Police Stations, and I see a world of hurt coming this way when it does. All these nasty little trojans given free reign to call home and start conducting DOS/Ransom "insert anything else here" attacks.

Again MaloK thank you for your expertise, I now know why you are so knowledgeable in fighting the zombie hoard, because its your profession 😂, in hindsight I should have realized that 🤦*♂️.

Give me a few days I will do some hunting and see what I can find.

Cheers and thank you.

McManny said:

Thank you MaloK, insightful as always.

I apologies for the late reply have been out in the sticks (boonies, bush, jungle, back of Bourke, AKA: middle of nowhere) for a few days, turbulent time here at the moment 😬.

No worries, I've been busy quite a lot myself...

McManny said:

It does appear that this is a monumental task and something not easily reversed. I guess the quickest and easiest solution is scorched earth 🤷*♂️, well I guess it kept the Nazis from taking over the USSR but at what cost to the civilian population? In this case the data (loss of) being the civilian population.

I have as you say been so focused on fighting off the "zombie hoard" that I didn't bother to actually name names so to speak.

Well, Taking the time to pick every drivers license of every zombies you put out, could get you killed
But before launching the operation, lets see if is possible to identify the source of the encryption.

McManny said:

The local phone company is stated to shortly be installing satellite internet, in most government buildings including Police Stations, and I see a world of hurt coming this way when it does. All these nasty little trojans given free reign to call home and start conducting DOS/Ransom "insert anything else here" attacks.

Maybe in the beginning, but after a while, Operating System Updates and patches will be consistently rolling out to every machines in addition of current Antivirus virus definition and smartscreen . This will render 98% of these virus and malware inoperative in the egg. And is a great move toward stabilization.

McManny said:

Give me a few days I will do some hunting and see what I can find.

Take your time, no ones in a hurry here.

Best of luck !!!