Showing results for 
Search instead for 
Did you mean: 
Level 13
Report Inappropriate Content
Message 1 of 3

Files corrupted on our servers

Hey everbody!

I came in this morning, logged in, and immediately recieed a call that excel wasn't working for a whole department. Looking into this a little bit more, I discovered that it was bigger than excel and bigger than one department. A good chunk of our shared drives that are open to Domain Users were corrupted (and possibly encrypted). We tracked down the source PC and immediately shut it down. I took out the HDD and scanned it on a diffferent PC as a USB drive. This is what was found:


So, my biggest concern is besides PWS-Zbot.gen.ab I can't find any of these in the Threat Center library thing-a-ma-bob and don't know how concerned I should be about this coming back on a different machine.

Obviously, this user downloaded a Voicamail spam attachment, but they've been on vacation an entire week. They left their PC on and for some reason the threat chose today to rear it's head.

Can anyone help me figure out if this is Cryptolocker or not? And, if not, what this is?

2 Replies

Re: Files corrupted on our servers

Hi there,

I would suggest to change the config to the USB (show hidden files and folders) and collect all the files and send them to McAfee Labs as may be some of the files are not detected and the next time you plug the USB will infect a different machine, plus they will provide you with an ED to do the cleaning in the infected machine and revert the files to the original files and make the applications works again.


Message was edited by: llamamecomoquieras on 5/19/14 10:12:45 PM IST
Level 7
Report Inappropriate Content
Message 3 of 3

Re: Files corrupted on our servers

Was the infected PC running an updated AntiVirus product?

There are utilities out there that will scan files and let you know if they are encrypted, possibly by cryptolocker.

I suggest only trying any new tools/software off network and only on a copy of the original files.

Good luck. Keep us posted.