The trojan was likely installed initially via an unsolicited email link. These are the facts of the case:
The trojan spreads quickly. Our Antivirus software appeared to be able to recognize it, but cleaning it would not last for long, as a newly cleaned computer would be reinfected once it was back on the network. It uses administrative credentials to spread, so changing the admin credentials on the network was crucial.
- The trojan installed on windows computers and immediately did the following:
- Created Services to infect other machines and communicate with the command and control server. The services were listed as obscure numbers, such as 38494550. Other services may have been installed with strange compound names.
- Created Scheduled tasks to reinstall itself if it were removed. The tasks masqueraded as having legitimate names, so each one had to be double checked for legitimacy.
- Installed Teamviewer.
- Installed Flash, or a fake version of flash that actually hid malicious code. This may have been part of a secondary trojan that was payload to the first. (The Backdoor.Teamviewer Trojan is distributed as an Adobe Flash installer)
To remove the infection:
- We disconnected the internet.
- Put all computers in safe mode, cleaned each one with Malwarebytes, manually removed all related services and scheduled tasks, uninstalled Teamviewer and flash.
- Changed all domain and local administrative passwords.
- Changed all user passwords.
- Changed group policy to remove domain users from local administrator groups.
- Only when the computers were all clean did we bring them up individually with internet access. Then monitored again for services, scheduled tasks, and scans. When each machine was stable with internet access we turned them off and brought up the next one.
- When all computers were stable with Internet access, we turned on the servers and monitored, then added one PC and monitored.