Worm Virus Alert
Received this email today, felt like I should share…
Sent: Thursday, December 13, 2012 11:08 AM
Subject: Worm Virus Alert
Good Morning everyone,
I’ve had two clients been hit in the last hour with a virus that, for all intensive purposes, locates all network shares and hides their folders in the share, then creates new files that are the same names as those folders, but renames them to “foldername.exe”. You’ll also see “porn.exe” “sexy.exe” “passwords.exe” “secret.exe” so on and so forth in the root of those folders.
The bad news is this infection is completely undetected by Symantec Antivirus.
The infection vector seems to be an email attachment. At one client the email was subject “[SPAM] Scanned Image from a Xerox WorkCentre” with attachment “SCAN_12-12-2012-02.zip” – if the client runs the contents of that zip, you’re infected.
If you’ve enabled windows 7 user folder redirection (as has been the case with both of my clients), it’s fairly easy to find out who did it. Go to the user folder share and do a “dir /a:h” and look for a hidden user folder. This is the user who did it – disconnect their system immediately. Wipe and reload that system. DO NOT use usb drives on that infected system, that is also a way to transmit the virus.
It appears that malwarebytes is a suggested program to find this virus and eradicate it from servers.
The good news is these files can be moved/deleted and the folders unhidden:
attrib -h -r -s /s /d “s:\folder_name”
You may want to proactively address your clients to help prevent this. Unfortunately if you’re protected by most of the antivirus vendors at this point, they won’t detect this.