Worm Virus Alert

Received this email today, felt like I should share…

Sent: Thursday, December 13, 2012 11:08 AM
To: service.all
Subject: Worm Virus Alert
Importance: High

Good Morning everyone,

I’ve had two clients been hit in the last hour with a virus that, for all intensive purposes, locates all network shares and hides their folders in the share, then creates new files that are the same names as those folders, but renames them to “foldername.exe”.  You’ll also see “porn.exe” “sexy.exe” “passwords.exe” “secret.exe” so on and so forth in the root of those folders.

The bad news is this infection is completely undetected by Symantec Antivirus.

The infection vector seems to be an email attachment.  At one client the email was subject “[SPAM] Scanned Image from a Xerox WorkCentre” with attachment “SCAN_12-12-2012-02.zip” – if the client runs the contents of that zip, you’re infected.

If you’ve enabled windows 7 user folder redirection (as has been the case with both of my clients), it’s fairly easy to find out who did it.  Go to the user folder share and do a “dir /a:h” and look for a hidden user folder.  This is the user who did it – disconnect their system immediately.  Wipe and reload that system.  DO NOT use usb drives on that infected system, that is also a way to transmit the virus.

It appears that malwarebytes is a suggested program to find this virus and eradicate it from servers.

The good news is these files can be moved/deleted and the folders unhidden:

attrib -h -r -s /s /d “s:\folder_name”

You may want to proactively address your clients to help prevent this.  Unfortunately if you’re protected by most of the antivirus vendors at this point, they won’t detect this.

About these ads
This entry was posted by jrcipriano.

3 thoughts on “Worm Virus Alert

    • ComboFix on the users machine after manually removing the duplicate files in the network share. The tricky part is running MalwareBytes on the file share server to make sure its OK then finally manually changing the attributes for the network share drive so the files are shown. Once thats done you have to manually remove the duplicates from both file shares (replication). We also noticed the virus will rename itself if you try to remove it so just keep looking for .exe’s that don’t belong. This is still a very fluid situation but so far we were able to mitigate the damage.

  1. Its also important to note that the ZIP file that is carrying the infection is dynamic, meaning the file name may say Xerox, or American Express.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 45 other followers

%d bloggers like this: