9 comments on “What is cna12.dll and the piress user?

  1. My computer is infected with this specific malware. I have an updated anti virus software running. However the piress account comes up once in a while. For me a full format is not an option at the moment. If I get rid of MySql completely will it be of any help?
    Thank you
    jake

    • Hi Jake,

      My apologies for taking so long to reply but I wanted to verify the technical accuracy of my response, include as much information as possible, and I had quite a bit on my plate including some paid work (which obviously has to take priority).

      Anyway, it got to the point where my reply was so long that I just turned it in to a new blog post instead.

      Basically yes, if you can uninstall MySQL then do so. If not, attempt to block the inbound MySQL connections by using network firewall/routers (if you have them) or your ADSL modem.
      I’d also configure Windows Firewall on your MySQL server to stop inbound (and preferably outbound) MySQL connections (by disabling access to the MySQL program from the Internet), by using the Exceptions tab to allow TCP port 3306 but specify the scope to be any of your internal hosts that need to access it.

      You can also reconfigure MySQL to only allow connections from the MySQL server itself.

      It would also be a good idea to modify Windows NTFS permissions to stop the attack from being able to create DLL and EXE files in the MySQL program folders. This, however, won’t stop the attacks from getting access to your server, but only serve to disrupt them and stop them from being able to save the cna12.dll file and run the function in it. It is more an attempt to stop attacks working should they reach your server.

      Hope this information and/or the new blog post helps.

      Musingly,
      Karl.

  2. Pingback: How to protect yourself from the cna12.dll MySQL attacks « Malware Musings

  3. Hi Karl,
    That s really good finding. I have been a victim since last 9 months, I couldnt find an answer until now. Thanks.

    • Hi Roopesh,

      Yeah, I noticed that people were finding my pages as a result of Google searches for ‘cna12.dll’. When I tried the same Google search I found people asking what it was and how to get rid of it, but no real answers.

      Thanks for the feedback — it’s good to know that someone is finding these pages helpful.

      Musingly,
      Karl.

  4. Hi Karl,
    thanks for your in-dept analysis.

    my PC recently got attacked by piress account virus I deleted that Account, I found cna12.dll in mySQL folder so I deleted it also , my Avasta antivirus blocked isetup.exe so can I say my system is safe as Avasta blocked it?

    Also can changing MySQL root password after an attack be helpful ?

    thanks.

    • Hi Rohit,

      That’s cool — it is good to know that some people are finding it useful.

      If you haven’t already, have a read of the follow up post .

      I wouldn’t like to say that your system is definitely safe, as I am reluctant to say that anything other than a complete rebuild would guarantee cleanliness — mainly because I don’t know what it is that I don’t know. Just because I can’t think of a way to bypass a piece of security, doesn’t mean that someone else hasn’t.

      Having said that, your system should certainly be a tad safer than it was 🙂

      I haven’t yet analysed ‘isetup.exe’, and even if I had, we’d need to confirm that your ‘isetup.exe’ is the same as the one that I’d analysed, plus there are too many other variables. For instance, the ‘cna12.dll’ file isn’t, by itself, particularly malicious. It is just that it is very easy to use it for malicious purposes, like downloading more malicious software like the copy of ‘isetup.exe’ that your anti-virus software found, for instance. Hence we can’t necessarily be certain that ‘isetup.exe’ is the only malicious software that was downloaded.

      As for Avasta blocking ‘isetup.exe’, see if you can determine whether or not ‘isetup.exe’ actually ran. I recently examined a friend’s laptop where their anti-virus software quarantined a .exe file, however there was an entry for it in the C:\Windows\Prefetch folder, and a Windows Defender report that it modified registry entries, suggesting that it still executed (which raises the question of when does the prefetch file get created and when does the anti-virus software check the file and block it).

      If you can, check the C:\Windows\Prefetch\ folder for a file with the name ‘isetup.exe-….pf’ file, but bear in mind that the legitimate, is it Internet Explorer installer(?), is also called isetup.exe and will show up in the prefetch directory with a similar name. I think later versions of Windows may have stopped you from being able to see files in the prefetch folder, so you may need to examine the disk by adding it to another system (Linux boxes are good for this), if possible.

      Yes, definitely change your MySQL root user’s password, as that will help to prevent the same attack (and other attacks that rely on guessing your password) from working again.

      Musingly,
      Karl.

Leave a Reply