Virus infection

AXISHK
AXISHK used Ask the Experts™
on
I have few users that after clicking the attached file (.js). All the files are locked and need to go to
www.toproject.org/download/dowload... to unlock the file.

Is there a way to remove the virus ?
KVM4643736525.js.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Infrastructure Manager
Commented:
Remove the virus, yes.  Recover the files without a backup or paying the ransom, no.  

And, there's a small chance the ransom will not yield you the key.
Chris HInfrastructure Manager

Commented:
https://www.virustotal.com/en/file/323aba1674a05176ec8e932d10f3fad309bd4594cc80a33f4a71d51cba1d0fb9/analysis/

As per the above analysis, the file is obviously 0-day or a custom job.  My avast did not detect the content, so moving toward the future, you will want some form of proxy that allows you to block .js from HTTP and SMTP.  Blocking on the HTTP level can create a headache for administrators, but it is the only safe way to stop 0-day or custom threats as such.

Author

Commented:
Sorry, I can't get your idea.

Do you mean I can't remove the virus ? Try to scan with Symantec Norton but it doesn't find anything.

Thx
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Chris HInfrastructure Manager

Commented:
https://www.symantec.com/security_response/submitsamples.jsp

You will have to submit a sample to symantec so they can analyze and write a detection signature and cleanup procedure.  The encrypted files, however, will not decrypt without the private key that the hacker/virus used to encrypt the files.

Your only options to restore your "Locked" files is to pay the ransom or restore from backup.

Do you have system restore running on your machine?  Right click one of your files, click properties, and go to the previous versions tab and see if you can restore it from previous versions.

Author

Commented:
Based on the attached configuratoin, will Window also backup other user files, beside Window system file.

Does it mean all the files has been encrypted ? Will it also affect my network files ?

Thx again.
Dump.png

Author

Commented:
Frankly, the file come through an email. It passes through our Trend Micro to Outlook. User click the attachment accidentially. The workstation also installed with Symantec but nothing can be scanned...
Chris HInfrastructure Manager

Commented:
Since it's 0-day and no analysis, I have no clue what this thing encrypts.  It's just been common practice for hackers to encrypt irreplaceable files that you can't re-install or download again.  They usually target .pdf, doc(x), xls(x), txt, mp3, jpg, png, and so on.  Things that were unique and usually irreplaceable without recreating.  

It's a real scumbag tactic.  They infect, set up a console through a tor proxy which hosts a "vendor" website that accepts bitcoin as payment to access the key.  The key is usually destroyed within 48-96 hours.  In rare cases, AV or hackers have released the keys to AV companies...  Rarely.  Bitcoin, the website and the file are all untraceable back to the author.  The money, once transferred to the Bitcoin wallet advertised, is then washed and scrambled back and forth through the darknet, it makes it almost impossible to locate who accepts it.  

Most virus scanners and firewalls in the world will not detect a 0-day malware program like the one you attached.  For this, you need to deny the following file attachments from coming into your organization via http or SMTP (email)

*.exe
*.anr
*.scr
*.zip
*.rar
*.bat
*.cmd
*.com
*.ani
*.flv
*.job
*.pif
*.wmf
*.mp3
*.7z
*.js
Chris HInfrastructure Manager

Commented:
And also to further clarify, the .JS might not be your malware file.  JS is javascript and usually causes a URL redirect to a drive-by download of some form of machine executable payload like an .exe file.  Again, you need to submit this file to symantec ASAP to get the clock started.  Did you get an advertisement telling you a cutoff time and date?
Commented:
The JS was only the downloader (hence, the user not only clicked on a random email not meant for them, they opened the attachment, AND THEN still clicked on the EXE file).
If the user DID NOT have admin rights, the virus is inside the user profile, and will reside there only (moving the profile, and letting the user log in again to create a new profile is enough). Most viruses can be removed a few hours later with an updated antivirus. If it DID have admin rights (or your computer wasn't fully updated, so you have to assume the EXE gained admin rights), the whole computer is infected, and you're better off scanning it offline (with a proper antivirus boot cd from AVG/Avast and the likes).
And some viruses will even remove themselves!
In any case, most ransomware now ALSO encrypt network shares. So be sure the computer is clean before connecting it back to the network.
btanExec Consultant
Distinguished Expert 2018
Commented:
In fact quite similar to this case.
https://isc.sans.edu/forums/diary/Why+Users+Fall+For+Ransomware/20867/
Or
http://blog.trendmicro.com/trendlabs-security-intelligence/crypvault-new-crypto-ransomware-encrypts-and-quarantines-files/

Random32, Cryptolocker or CryptoVault are possible candidate. Network mapped drive file can be encrypted and backup can ne deleted. The AV bypass can be due to attachment strewn throughout using text and not binary hence AV is taken it as legit since not executable.

Dont pay the ransomware, restore from backup. Scan using another AV and I suggest Malwarebytes anti malware. Advise used to change their passwords if they are those shared among online accounts.

Way forward, to review hygiene and do try not giving user admin rights and enforce running only authorised appl through use of applocker or or its predecessor SRP.

For more detailed list if safeguards and action
Please see the "preventing infection" section
http://southbayinternetsolutions.com/the-crypto-crunch-ransomware-run-amok/sest/

Author

Commented:
I'm away from office so can only check tomorrow.

Another interest thing is when user execute .js, Window 7 should prompt out some warning to user, correct ? User tell me no warning when executing the file...

As my symantec can't scan any virus, is there any other tool / malware that I can try ?

Thx
Most Valuable Expert 2015
Commented:
It's best to just Re-image those PC's that were infected (those the attachment was opened on). Next make sure your users don't have admin rights. Train them never to open attachments unless they know the sender and are expecting an attachment from him. Also educate them about how to use the web safely. Make regular backups and rotate between different backup media. Remove the backup media from the server once the backup is finished, and store it in a safe location. Use application white-listing to make sure only those programs you have allowed can be run.

The files that were encrypted will have to be restored from your backups.
btanExec Consultant
Distinguished Expert 2018

Commented:
Not necessarily for email as it depends on the zone identifier. E.g. files downloaded from the internet as well as attachments saved from mail are stored with an NTFS alternate datastream "Zone.Identifier". Regardless, it is an afterthought since machines are infected. Work on recovery of data and machine state.
Chris HInfrastructure Manager

Commented:
As my symantec can't scan any virus, is there any other tool / malware that I can try ?

Symantec's up there.  WHen I first posted that virustotal link, you'd notice there were only two detections from two AV's I'd never heard of.  Your safest bet is to follow the advice above and stick with a known vendor like you have.  This happens with every AV.

Author

Commented:
Thx

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial