Malware Incident Response: Analyzing and Removing a Persistent Windows Trojan

Author: Zhang Hongyang – security operations and incident response specialist, former senior security engineer at Beike.

Preface – Have you heard of the notorious "EternalBlue" or the WannaCry ransomware? They are not distant myths; they can lurk within corporate networks. This article records a complete internal‑host malware infection response, covering detection, analysis, and eradication.

Incident Overview – The initial alert came from IPS logs showing massive internal scans of port 445 from host 10.10.X.X, a clear sign of abnormal lateral‑movement activity.

Preliminary assessment suggested a malware program on the source host was scanning the internal network for vulnerable machines. Since packet payloads revealed little, we logged into the host (with business approval) for deeper investigation.

Step 1 – Network Connections – Using netstat , we observed many half‑open connections from random local ports to sequential IP addresses, primarily initiated by spoolsv.exe and mssecsvc.exe . The latter is a known artifact of the WannaCry outbreak, while spoolsv.exe is the legitimate Windows Print Spooler service – why would it scan the network?

Step 2 – Process Verification – Task Manager showed two spoolsv.exe entries. The legitimate binary resides in C:\WINDOWS\system32 ; the one with PID 154352 was located elsewhere, indicating a masquerading trojan process.

Step 3 – Termination Attempt – Killing the identified processes removed them temporarily, but spoolsv.exe reappeared with a new PID, suggesting a watchdog process was respawning it.

Step 4 – Signature Verification – Using the tool PChunter , which colors processes based on signature status, the rogue spoolsv.exe appeared pink (signature verification failed). Even after deletion, the file regenerated.

Step 5 – Removing the Parent Process – Tracing the parent PID (23428) revealed svchost.exe . Killing this parent stopped the malicious spoolsv.exe from respawning, effectively cleaning the trojan.

Final cleanup included checking startup items, services, and scheduled tasks, followed by a verification of network connections, which returned to normal.

Post‑mortem – A thorough incident response also involves documenting the findings and continuous monitoring. The analysis was recorded in the daily security incident report, and a follow‑up check two days later confirmed the malware did not reappear.

For deeper analysis, the malware sample can be sandboxed and debugged using tools such as IDA Pro, OllyDbg, Process Explorer, and Process Monitor.