• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 709
  • Last Modified:

repair file corruption from W32Sillydc worm

I have several computers that got hit with the W32.Sillydc worm or close cousin.  I believe the infection is cleared but the malware also corrupted many Excel & Word documents on a shared drive.  When the file is opened an error appears:  Word cannot start the converter mswrd632.wpc.  Another window pops up asking:  Select the encoding that makes your document readable.  I've tried nearly all encoding options and none makes the file readable.

Systems are Windows 7 Pro 64 bit and a few old Windows XP Pro 32bit.  

This happens on multiple systems, the same systems can open other documents just fine including the restored copies.  Simpler messages appears if opened on OS X running MS Office for MAC.

As happens there was one user has a folder that was not being backed up properly and need those files restored.  Can anyone provide step instructions to restore those files or might be willing to perform it as a paid service?

All file corruption happened at the time of the malware infection.

Will send corrupted files if requested.
1 Solution
I have never used this particular software but have used their others.. they have a free trial to see if it may work..

Davis McCarnOwnerCommented:
It was not W32.Sillydc that encrypted your files; but, rather, a secondary infection that came allong with it.  There are numerous decryptors written by the good guys to get your files back.  Without the name of the actual encryptor, it is fruitless to try decryption.
Google search the names of other detected infections and find the one which encrypts and holds the files for ransome.
btanExec ConsultantCommented:
As shared by experts, possibly ransomware or scareware doing, likewise, I also think sillydc (W32. Sality) may also be a culprit too. In the past, there is Worm.ExploreZip and Virut (file infector type). of course, they would likely pave the way out for other more to come in to perform sort of exploits and theft..But typically if they are of ransomware type, it will prompt you to get back if not there is no value for those attempts. I dont it is your case...

Nonetheless, can try to see if the "corrupted" has changed their file formating to some norm format using PEID (http://www.aldeid.com/wiki/PEiD) and ProtectedID (http://protectionid.owns.it/) as first cut (again).

Also coming back, quick recovery methods in the article belowcan come in handy (e.g. volume shadow ) for "corrupted" file with the tools
e.g. RECUVA, OffVis, Zip repair and S2 Services

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

tss-nmAuthor Commented:
One of the newer forms of Cyberlocker was used with the $300 ransom request.  I removed the malware last week.  So I'm not sure if I can even pay the ransom if the client chose to at this point.  Any thoughts from here?
btanExec ConsultantCommented:
cyberlocker is dealing with copyrights issue and face many legal issues (consider like pirate tools. I doubt you want to straddle into it unnecessarily (megaupload is shutdown by US govt).

There are more shakeup @ http://www.plagiarismtoday.com/2012/01/24/cyberlocker-shakeup-and-the-aftermath-for-you/

the question is why accede to the request even if it is alright and I believe there is means the other side will get back - knowing you are taken "offline". i really suggest clean rebuild and recover what is best possible in the last best known snapshot or restore point. Do think about reporting to local authorities to follow up
tss-nmAuthor Commented:
Good advice but real solution
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now