Found new malware not detected by antivirus. How to evaluate the threat?
On a Windows 7 workstation running an up to date antivirus suite (Kaspersky) I found several suspicious processes. To look at the process activity I used the excellent ProcessMonitor from SysInternals.
One of them had an executable name wauctla.exe
located in C:\Windows
. Update: the name is probably chosen deliberately to be confused with wuauclt.exe
- the Windows Update Agent Control utility.
This process runs as a System Service. Using the Management Console services snap-in I was able to change the startup settings for this process from "Automatic" to "Disabled". However there was no way I could stop the running process via the MMC snap-in.
I still managed to stop the process with the taskkill /f /PID
command. I restarted the OS and the process is no longer seen in the process list.
There is an excellent thread on superuser on the procedures necessary to remove generic malware from computers running Windows. When the suspicious processes have been stopped and their executable files moved to a safe location away from the executable search path I want to learn more about the new malware.
What sort of threat comes from this file? Is there any antivirus software around that can detect this virus? How does it spread, should I check other computers that were accessed by the same user after this workstation was infected?
Update 2: Following the answers referring to virustotal, here is a link to the virustotal summary of this piece of malware.
Solution 1:
Dont use Process Monitor for that. Use like @DavidPostill suggested VirusTotal but without manually sending files. Process Explorer from SysInternals has built in VirusTotal functionality. Just go to Options -> VirusTotal.com -> Check VirusTotal.com and a column with the header VirusTotal will appear. After a few seconds you will get the VirusTotal rating for each executable.
From Process Explorer you can directly kill the malicious process or find out to which Windows Service started this process and stop and disable this service. This is a good way to do, beacuse if you kill the process the underlying service might immediately recreate the malicious process. To find out the service for a process double-click the process and go to the Services tab.
Solution 2:
How do I to evaluate the threat caused by malware?
You can submit your file to VirusTotal for online analysis.
- VirusTotal checks the file using over 40 antivirus solutions.
- This will at least tell you if any antivirus software is able to detect it.
- If you get a positive identification you can then search for the name of the virus to find out more about how it works and what threat it poses.
What is VirusTotal
VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.
Source VirusTotal