2 Replies Latest reply on May 21, 2014 8:13 AM by JAG

    Files corrupted on our servers

    ittech

      Hey everbody!

       

      I came in this morning, logged in, and immediately recieed a call that excel wasn't working for a whole department. Looking into this a little bit more, I discovered that it was bigger than excel and bigger than one department. A good chunk of our shared drives that are open to Domain Users were corrupted (and possibly encrypted). We tracked down the source PC and immediately shut it down. I took out the HDD and scanned it on a diffferent PC as a USB drive. This is what was found:

      UsersDetections.png

      So, my biggest concern is besides PWS-Zbot.gen.ab I can't find any of these in the Threat Center library thing-a-ma-bob and don't know how concerned I should be about this coming back on a different machine.

       

      Obviously, this user downloaded a Voicamail spam attachment, but they've been on vacation an entire week. They left their PC on and for some reason the threat chose today to rear it's head.

       

      Can anyone help me figure out if this is Cryptolocker or not? And, if not, what this is?

        • 1. Re: Files corrupted on our servers
          llamamecomoquieras

          Hi there,

           

          I would suggest to change the config to the USB (show hidden files and folders) and collect all the files and send them to McAfee Labs as may be some of the files are not detected and the next time you plug the USB will infect a different machine, plus they will provide you with an ED to do the cleaning in the infected machine and revert the files to the original files and make the applications works again.

           

          Cheers,

           

          Message was edited by: llamamecomoquieras on 5/19/14 10:12:45 PM IST
          • 2. Re: Files corrupted on our servers
            JAG

            Was the infected PC running an updated AntiVirus product?

             

            There are utilities out there that will scan files and let you know if they are encrypted, possibly by cryptolocker.

            I suggest only trying any new tools/software off network and only on a copy of the original files.

             

            Good luck. Keep us posted.