All Excel Files on Server Share are Corrupt

Hi, ssgchelp.

Can you post one of the files here, please? (Be careful about the sensitivity of any file that you pick - don't rely on the apparent corruption to hide information.)

Thanks,
Brian.

The issue may be related to your Anti-Virus software. Or it could be a policy issue that prevents opening old file formats (such as .xls). Both of the above have been found to cause the type of problem you describe.

Here is a file. I think it may have to do with a virus. I restored all Excel files in this directory from the previous night backup to a different location and all the files are fine.
acronyms.xls

Thanks, ssgchelp.

It's not a spreadsheet - it just contains apparently random data. I say "apparently" - TrID couldn't identify it, SysInternal's Strings.exe finds nothing and it "looks" random. When I've seen this before, it's because a disk's pointers have been corrupted.

It's great that your backup is good, but I'd strongly recommend that you check the disk.

Regards,
Brian.

I'll do a chkdsk but wouldn't that affect files with other extensions on that drive? also, why wouldn't Excel files on the same drive that were in different folders be affected?

ssgchelp,

A chkdsk would be good, but I'd also check logs.

"All Excel files in that folder" is a meaningful subset of your files. As such, it's entirely possible that someone/something should choose to process just them.

There are other possibilities. In my experience, they're just less likely...
(1) Malicious action by a user. (If they were smart enough to leave no trail, this seems a pretty crude act of sabotage.)
(2) Virus. Some viruses encrypt file contents and ask for payment to unencrypt them. Encrypted and random data look much the same.
(3) Someone was running an update and accidentally picked the wrong files. Actually, that's something else to check - any possibility that someone is working on (or using) file encryption?

Cheers,
Brian.

ssgchelp, We also had this problem start happening on Thursday/Friday of last week.  I restored the affected directories from backup and they were fine.  I came back in this morning and users were reporting that the files were fine when they came in, but then shortly later became corrupt again.  My environment seems similar to yours.  We are also running symantec endpoint security for AV.  It now appears that my the directory is actively corrupting files.  I created an xls and copied it over, it opened fine remotely.  Then I closed and re-opened it again it was corrupt.  This is happening with all .xls, .xlsx, .doc, .docx, .rtf.  Text files and pdfs are completely fine.  I am wondering if this is a botched definition update from symantec?  Are you using them for AV also?

Edit:  I've uploaded an xls file that was fine before I copied it to the affected share.  I tried to open it again after xfer and this what is returned.  And again, it's only this directory on the share server.

Edit 2: If I move a working xls over to the share marked read-only it remains fine and opens without issue.  As soon as I remove the read-only attribute, it corrupts almost instantly.  AV comes up clean with latest set of definition and I don't see any suspicious processes running on the share server either.
IT-Comparisons.xls

CoffeePlease,

Yes, your file looks as random as ssgchelp's.

Which version of SEP are you running?

Regards,
Brian.

Hi Brian,

Thanks for your response.  I am running SEP version 11.0.4014.26.

Thanks,
-John

Thanks, John - it'll probably be good news if that's ssgchelp's version as well!

Hopefully.. that's why I joined up :)  I still find it bizarre that other shares on this server are unaffected (so far).  Thanks for the participation. Also, that it seems to have happened on the same timeline.

Hi. I do not use Symantec. I use Trend Micros Worry Free Business. Here is what I know about this issue after 3 days.

1) Problem affected only .xls and .doc files in shared network folders that had all users full control permissions.
2) .pdf, tif, jpg, all other file formats are fine.
3) shared directories that have .xls, .doc in them are fine but those directories don't have full control all user permissions.
4) 3 machines were infected with viruses, 5 others with malware/spyware.
5) no hard drive or volume errors in Windows logs. RAID management consistency check found no errors.

Given all this information, I'm concluding that it is a virus issue.

ssgchelp.

3 machines were infected with viruses, 5 others with malware/spyware.

!

Please click on the "Request Attention" link below your question and ask the Mods to add the appropriate Topic Area(s). In addition, please specify the viruses and malware that you've identified.

All the best,
Brian.

Microsoft just updated a Technical Note covering corruption of Office documents due to a ransom-ware virus attack "Excel cannot open the file [filename] because the file format or file extension is not valid." opening Office files They suggest running Microsoft Safety Scanner to find and remove the virus. Your files are toast, however, and should be restored from a backup.

Great catch, byundt.

Trend Micro found the following viruses on client machines.
TROJ_RANSOM.IQN
TROJ_SPNR.0EI713
TROJ_INJECTER.FV
TROJ_GEN.R0C5C0HHM13

Thank you all for your help.

ssgchelp,

I wouldn't mind that the names are all different from the one which byundt mentioned - the same virus often has different names. I do think that it's significant that one of them includes the  word "Ransom". This is what I referred to earlier and is also the nature of the virus byundt mentioned.

Regards,
Brian.

This hit my company last week.  You're going to have to find the infected desktop to keep it from happening.  This ransomware takes ownership of every file it can and changes the owner to the infected user.  Then it encrypts them and pushes for ransom.  So if you can find the infected machine, you can clean up the virus AND track down all infected files by owner name (we used Tree Size to find this data).  Then you can use previous versions or just restore from backup.  

What you will most likely find out is that this user is in a group that has full control over directories and that's how the virus was able to take control of files -- by using his credentials.  Good luck.