1

I haven't used Windows partition since mid-June and I booted the system once again just a few days ago. My first action was as usual update all programs marked to be updated (including Windows updates). Today MSE detected TrojanDownloader:Win32/Tugspay.A in chrome directory, which I believe to be for persistent storage after Googling. Since only option was to remove or leave it - I removed the file.

I run a full MSE scan but nothing has been shown up. When I booted computer from AVG LiveUSB (created on different computer and inserted after shutdown) it did not detect anything except cookies and adware in recycle bin (after checking - some time ago 'Download Manager' tried to be downloaded on my computer and I deleted it without running).

Should I believe that malware was put into persistent storage but has not been run, perform any extra security steps to check it or reinstall the Windows (the last step is relatively expensive for me in terms of time/hassle - it's a private computer so there isn't anything like remote deploy system etc.).

Maciej Piechotka
  • 125
  • 5

4 Answers4

1

It is a backdoor, so it hard to tell what damages it brought to your system. For example, it might be used to log keystroke or download other malicious files to your system

It is good to know how it infected your machine in the first place. Now, since you said your anti-virus MSE, which I personally do not trust very much, theoretically you should be fine. However, it is good to do some manual checking:

  1. Open Registry Window by typing “regedit” in Run window.
  2. Once it opens search the registry files related to TrojanDownloader:win32/Tugspay.A and delete all of them.

Finally, I personally recommend you re-install windows. Why? because this Trojan in particular can download other malware files. It is possible that it download other malware and MSE fails to detect them. Do you see my point?

Look at the TrojanDownloader:Win32/Tugspay.A See they call it the Trojan Downloader

Ubaidah
  • 1,054
  • 6
  • 11
  • "how it infected your machine in the first place" so far I (hope) to believe it was just stored by JS in persistent storage. Could there be a way to check if it was even run? – Maciej Piechotka Aug 09 '14 at 16:56
  • To my knowledge no way to know that for sure. Unless you store and archive your network traffic log, and other system log. So, you can run forensics against the log files. I am kidding no one do that for his private/personal machine. Using windows you should accept that you will be infected by malware from time to time. Or how anti-virus companies will make money :) – Ubaidah Aug 09 '14 at 17:03
0

Try to scan the system with tools with good signature DB. You may get these things with a tool bar installation I would use a Sophos or Symantec tool to scan.

Here is a Link you can find 15 Free Bootable Antivirus Tools.

Nuke from Orbit will not be required.

Kasun
  • 784
  • 2
  • 5
  • 13
  • [Nuke from orbit means slightly more drastic thing.](http://security.stackexchange.com/questions/32500/what-is-nuke-it-from-orbit). "Try to scan the system with tools with good signature DB." - I've scanned with AVG Live USB with up-to-date database. I'll try Sophos tomorrow as they apparently provide only live CD's and I don't have a blank ATM. – Maciej Piechotka Aug 09 '14 at 19:00
  • Thanks very much for telling drastic meaning. I improved the answer. You can make USB stick bootable from ISO with using Linux 'dd' like tool. – Kasun Aug 09 '14 at 19:14
0

I'm dealing with a very similar situation myself. No evidence of infection, except the presence of Tierra.exe in a temp directory. This is a trojan downloader. Security Essentials spotted it, although I'm very concerned with how it got there.

If you don't want to nuke the machine (and I don't want to nuke mine), you need to remove the disk, mount it as an external volume on a known-good system with autorun disabled and up-to-date AV, then perform a full scan of the media.

Sophisticated viruses, once they've infected the host can disable or alter the behaviour of the AV software to avoid detection.

As a future preventative measure, I'm going to add ClamAV to my Linux server so that my Windows backups can be scanned from a known-clean machine. The likelihood that the virus affects the backup process to avoid scanning is low... but not zero.

mgjk
  • 7,535
  • 2
  • 20
  • 34
0

From the sound of it, you probably don’t need to nuke it. However, without a more advanced look/tools you can’t know you’re good without nuking it. There are plenty of tools out there to catch and remove these types of malware. The problem is, if it’s more advanced they can miss it and you won’t know. These tools can’t see everything that might have been affected. That’s hard to do without either software already running (look into Security Onion and OSSEC if you want to know more) on the host or advanced knowledge to be able to look manually.

Either you can accept the risk that you might be missing something and leave it or nuke it and know you’re good.

Paraplastic2
  • 460
  • 2
  • 7