A nasty piece of work in C:\ProgramData\WindowsWork

I encountered a nasty bit of malware today which wasn’t being seen by antivirus. Malwarebytes was popping up every 5 seconds with a warning that some executable file on Windows 10 was trying to reach a blocked web site… tektonit.ru

A quick Google search made it clear that the domain being contacted is associated with the Troj/RemAdm-AG and Backdoor.Gussdoor trojans, the second of which opens a backdoor to the domain in question. The attacker then has access to read and write files, access the registry, spawn processes and even take screenshots. In our case, they also installed keylogger.bestfreekeylogger.a which lets them record keystrokes like passwords, credit card numbers, emails, or any other content entered via the computer.


The user had both a McAfee antivirus product and Avast Free installed. Neither of which were really complaining about the threat, yet Malwarebytes continued its little dance in the corner “Website blocked – Domain: tektonit.ru” and variants thereof.

Malwarebytes also did something else nice for me: it showed the process location. It was running a file in C:\ProgramData\WindowsWork, which to an end-user appears to not exist if you try to navigate to it.

I installed ESET Internet Security, which picked up and removed the keylogger (two variants) that the other applications left behind, but the malware reaching out to the attacking server was not detected.

Jumping into an admin terminal, the directory doesn’t show since its attributes are set to +s +h (system, hidden). Within the folder, the files themselves are also hidden and set with the system attribute, making them pretty much invisible to end users. And strangely, antivirus also did not see it.

Removing the attributes, I was now able to see and open the files. One such file was the installer used to deploy the malware.

Here’s how it installed itself:

Interesting, in that this now sheds some light on why antivirus isn’t picking it up… it’s likely not even a virus. And to boot, UAC would have stopped this script from running, which means the end user had to have allowed it. Once again proves my point that Windows UAC is useless because novice users will just say yes to any stinking dialogue you throw at them!

So the script, as you can see, destroys legitimate Windows services and replaces them with itself. That makes it tough to detect.

I killed the services, deleted the services, and then purged all the files in the C:\ProgramData\WindowsWork\ and removed the folder. Instantly, Malwarebytes went to sleep.

A reboot and full system scan as administrator with ESET Internet Security, and all looks well. Hopefully the firewall in EIS will do a better job of keeping the user from answering “Yes” to the wrong questions… but ultimately it’s up to educating users to think, and understand, before clicking.

The malware is gone. However, there’s no way to know how far the attacker got. It appears as though the service files were not viruses at all, but rather basic programs that reach out to tektonit.ru to obtain legitimate malware and install it. Basically, the stuff in C:\ProgramData\WindowsWork\, which the user authorized being installed, was benign from an antimalware standpoint. It was not a virus: it was a tool being used by an attacker to propagate their tools, malware and possibly viruses/trojans. But because of the nature of it, it also worked as a bit of a smokescreen.

In this instance, had Malwarebytes’ Premium version not been installed (which does active protection, not just on-demand scanning), the user would have been wide open to the smokescreen application and its desire to install all kinds of unknowns on the user’s system.

ESET Internet Security is now installed, along with Malwarebytes Premium. These two products combined should provide about the best level of protection available to Windows users today.

Get ESET Internet Security: https://cat5.tv/esetus

Get Malwarebytes Premium: http://amzn.to/2x2HCz2