Why you should be immediately looking for “srvnet2” in your windows server?

Muhammad Ali Azeem

Senior Infrastructure & Cyber Security Professional

22-Dec-2021

I recently came across a *BSOD incident on one of my exchange servers post a critical CU update. I was working with Microsoft Support directly for this upgrade and activity was being managed by Microsoft itself.

After the successful CU installation, the server was rebooted and BSOD welcomed us at the boot level for our surprise. Microsoft engineer was confident that the CU upgrade should not cause this error. The error description lead him to understand that this is a Kernel issued that means it’s an OS core level issue which has nothing to do with the Exchange CU upgrade.

Luckily, we have a premier support from Microsoft so the engineer immediately engaged a Windows OS engineer for troubleshooting.

It took a few minutes for us to start investigating the issues and we were able to boot into windows through safe mode option.

The MS engineer was quick enough to understand that the root cause of the problem was an unknown driver file that was located in \SystemRoot\System32\drivers as srvnet2.sys.

His first reaction was that this file should not be here and I literally thought that he is just talking to himself but it was not that fact.

We had accidently discovered a malware that was not detected by our security software. It was a new malicious software Rootkit.Win64.Agent.bhw It was not very difficult for us to get rid of this malware as it was not deeply injected into the OS yet. We took a backup of the malware and cleaned our exchange server. The same malware was also detected in the second mail server as well. This virus landed in our exchange server in on 29th Jun 2021 and was undetected until today.

I took the hash file and immediately tested it on virustotal.com and to my surprise, only 6 of the security tools listed it as a malware and not a single BIG player was among them including Kaspersky. Microsoft Defender was one of the tools that listed it as a malware.

Post our activity, I requested my team to report this hash to Kaspersky and see their feedback. Kaspersky accepted our submission and validated it as a malware.

Below is the metadata from the malware file for your help and it is recommended that you all immediately scan your windows environment for this malware as it remains undetected still for many security tools.

Microsoft Support

Symptom:

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)

This is a very common BugCheck. Usually the exception address pinpoints

the driver/function that caused the problem. Always note this address

as well as the link date of the driver/image that contains this address.

Arguments:

Arg1: ffffffffc0000005, The exception code that was not handled

Arg2: fffff80703c03737, The address that the exception occurred at

Arg3: ffffe382dfd6f148, Exception Record Address

Cause:

The following module is causing to crash it’s malware component

3: kd> lmvm srvnet2

Browse full module list

start            end                module name

fffff807`03c00000 fffff807`03c85000  srvnet2   (no symbols)          

    Loaded symbol image file: srvnet2.sys

   Image path: \SystemRoot\System32\drivers\srvnet2.sys

   Image name: srvnet2.sys

   Browse all global symbols functions data

   Timestamp:       Tue Jun 29 08:28:49 2021 (60DAAF91)

   CheckSum:        00087495

   ImageSize:       00085000

   File version:    10.0.18362.693

   Product version: 10.0.18362.693

   File flags:      0 (Mask 3F)

   File OS:         40004 NT Win32

   File type:       3.0 Driver

   File date:       00000000.00000000

   Translations:    0409.04b0

   Information from resource tables:

       CompanyName:     Microsoft Corporation

       ProductName:     Microsoft® Windows® Operating System

       InternalName:    SRVNET2.SYS

       OriginalFilename: SRVNET2.SYS

       ProductVersion:  10.0.18362.693

       FileVersion:     10.0.18362.693 (WinBuild.160101.0800)

       FileDescription: Server Network driver

       LegalCopyright:  © Microsoft Corporation. All rights reserved.

Resolution:

relevant service disabled and module isolated from the servers.

Kaspersky Support

Dear Team,

Thank you for your time. We have just received an update from the anti-malware research team.

New malicious software Rootkit.Win64.Agent.bhw was found in the attached file. Its detection will be included in the next database update.

We appreciate your help in providing this information to us. Thank you!

*Blue Screen Of Death