Virus infection

I have few users that after clicking the attached file (.js). All the files are locked and need to go to
www.toproject.org/download/dowload... to unlock the file.

Is there a way to remove the virus ?
KVM4643736525.js.txt
AXISHKAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris HInfrastructure ManagerCommented:
Remove the virus, yes.  Recover the files without a backup or paying the ransom, no.  

And, there's a small chance the ransom will not yield you the key.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris HInfrastructure ManagerCommented:
https://www.virustotal.com/en/file/323aba1674a05176ec8e932d10f3fad309bd4594cc80a33f4a71d51cba1d0fb9/analysis/

As per the above analysis, the file is obviously 0-day or a custom job.  My avast did not detect the content, so moving toward the future, you will want some form of proxy that allows you to block .js from HTTP and SMTP.  Blocking on the HTTP level can create a headache for administrators, but it is the only safe way to stop 0-day or custom threats as such.
AXISHKAuthor Commented:
Sorry, I can't get your idea.

Do you mean I can't remove the virus ? Try to scan with Symantec Norton but it doesn't find anything.

Thx
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Chris HInfrastructure ManagerCommented:
https://www.symantec.com/security_response/submitsamples.jsp

You will have to submit a sample to symantec so they can analyze and write a detection signature and cleanup procedure.  The encrypted files, however, will not decrypt without the private key that the hacker/virus used to encrypt the files.

Your only options to restore your "Locked" files is to pay the ransom or restore from backup.

Do you have system restore running on your machine?  Right click one of your files, click properties, and go to the previous versions tab and see if you can restore it from previous versions.
AXISHKAuthor Commented:
Based on the attached configuratoin, will Window also backup other user files, beside Window system file.

Does it mean all the files has been encrypted ? Will it also affect my network files ?

Thx again.
Dump.png
AXISHKAuthor Commented:
Frankly, the file come through an email. It passes through our Trend Micro to Outlook. User click the attachment accidentially. The workstation also installed with Symantec but nothing can be scanned...
Chris HInfrastructure ManagerCommented:
Since it's 0-day and no analysis, I have no clue what this thing encrypts.  It's just been common practice for hackers to encrypt irreplaceable files that you can't re-install or download again.  They usually target .pdf, doc(x), xls(x), txt, mp3, jpg, png, and so on.  Things that were unique and usually irreplaceable without recreating.  

It's a real scumbag tactic.  They infect, set up a console through a tor proxy which hosts a "vendor" website that accepts bitcoin as payment to access the key.  The key is usually destroyed within 48-96 hours.  In rare cases, AV or hackers have released the keys to AV companies...  Rarely.  Bitcoin, the website and the file are all untraceable back to the author.  The money, once transferred to the Bitcoin wallet advertised, is then washed and scrambled back and forth through the darknet, it makes it almost impossible to locate who accepts it.  

Most virus scanners and firewalls in the world will not detect a 0-day malware program like the one you attached.  For this, you need to deny the following file attachments from coming into your organization via http or SMTP (email)

*.exe
*.anr
*.scr
*.zip
*.rar
*.bat
*.cmd
*.com
*.ani
*.flv
*.job
*.pif
*.wmf
*.mp3
*.7z
*.js
Chris HInfrastructure ManagerCommented:
And also to further clarify, the .JS might not be your malware file.  JS is javascript and usually causes a URL redirect to a drive-by download of some form of machine executable payload like an .exe file.  Again, you need to submit this file to symantec ASAP to get the clock started.  Did you get an advertisement telling you a cutoff time and date?
KimputerIT ManagerCommented:
The JS was only the downloader (hence, the user not only clicked on a random email not meant for them, they opened the attachment, AND THEN still clicked on the EXE file).
If the user DID NOT have admin rights, the virus is inside the user profile, and will reside there only (moving the profile, and letting the user log in again to create a new profile is enough). Most viruses can be removed a few hours later with an updated antivirus. If it DID have admin rights (or your computer wasn't fully updated, so you have to assume the EXE gained admin rights), the whole computer is infected, and you're better off scanning it offline (with a proper antivirus boot cd from AVG/Avast and the likes).
And some viruses will even remove themselves!
In any case, most ransomware now ALSO encrypt network shares. So be sure the computer is clean before connecting it back to the network.
btanExec ConsultantCommented:
In fact quite similar to this case.
https://isc.sans.edu/forums/diary/Why+Users+Fall+For+Ransomware/20867/
Or
http://blog.trendmicro.com/trendlabs-security-intelligence/crypvault-new-crypto-ransomware-encrypts-and-quarantines-files/

Random32, Cryptolocker or CryptoVault are possible candidate. Network mapped drive file can be encrypted and backup can ne deleted. The AV bypass can be due to attachment strewn throughout using text and not binary hence AV is taken it as legit since not executable.

Dont pay the ransomware, restore from backup. Scan using another AV and I suggest Malwarebytes anti malware. Advise used to change their passwords if they are those shared among online accounts.

Way forward, to review hygiene and do try not giving user admin rights and enforce running only authorised appl through use of applocker or or its predecessor SRP.

For more detailed list if safeguards and action
Please see the "preventing infection" section
http://southbayinternetsolutions.com/the-crypto-crunch-ransomware-run-amok/sest/
AXISHKAuthor Commented:
I'm away from office so can only check tomorrow.

Another interest thing is when user execute .js, Window 7 should prompt out some warning to user, correct ? User tell me no warning when executing the file...

As my symantec can't scan any virus, is there any other tool / malware that I can try ?

Thx
rindiCommented:
It's best to just Re-image those PC's that were infected (those the attachment was opened on). Next make sure your users don't have admin rights. Train them never to open attachments unless they know the sender and are expecting an attachment from him. Also educate them about how to use the web safely. Make regular backups and rotate between different backup media. Remove the backup media from the server once the backup is finished, and store it in a safe location. Use application white-listing to make sure only those programs you have allowed can be run.

The files that were encrypted will have to be restored from your backups.
Chris HInfrastructure ManagerCommented:
btanExec ConsultantCommented:
Not necessarily for email as it depends on the zone identifier. E.g. files downloaded from the internet as well as attachments saved from mail are stored with an NTFS alternate datastream "Zone.Identifier". Regardless, it is an afterthought since machines are infected. Work on recovery of data and machine state.
Chris HInfrastructure ManagerCommented:
As my symantec can't scan any virus, is there any other tool / malware that I can try ?

Symantec's up there.  WHen I first posted that virustotal link, you'd notice there were only two detections from two AV's I'd never heard of.  Your safest bet is to follow the advice above and stick with a known vendor like you have.  This happens with every AV.
AXISHKAuthor Commented:
Thx
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
JavaScript

From novice to tech pro — start learning today.