Capt.Nemo
-
Posts
3 -
Joined
-
Last visited
Posts posted by Capt.Nemo
-
-
Thank you for the quick reply, Marcos. I don't see that file extensions have been added/changed. I am sending you some of the corrupted files via personal message right now.
I know the chance for recovery is slim. I just want to find the problem make sure I don't corrupt backups when I try to restore... -
It appears that my server (Windows Server 2003 R2) with Eset NOD32 4.x Antivirus installed was compromised last night. Starting at 7:53pm, most .PDF and .XLS(X) files were modified and are now corrupted and cannot be opened. Corrupted files opened in Notepad yield a file full of square blocks...
I have backups, so that isn't a problem. However, I would like to know what happened and how I got attacked. Any tips on how to track down the source?One of my workstations quarantined a couple files yesterday and today. It quarantined "Spy.Zbot.AAU" trojan, "Filecoder.BQ" trojan, and "Kryptik.BLTM" trojan. The first one was quarantined 5 hrs. before server files were modified and the next two were 9 hrs. after they were modified.
I realize NOD32 is an older version. I have Endpoint Antivirus on all my workstations.
Files corrupted by unidentified virus. Server protected with NOD32.
in Malware Finding and Cleaning
Posted
My experience with this was all very odd... File extensions were not changed and I never saw the actual ransom request as typically associated with Filecoder/Cryptolocker, et al. It seems as if the trojan/virus/infection never fully completed and somehow got stopped before being fully executed.
I ran a couple A/V scans from multiple tools, cleaned everything I could find, and restored from backups rather than pay the ransom. Have had no further issues...
There is no doubt it came from a user clicking a .zip attachment in a FedEx, UPS or DHL spoof. As "mattspchelp" stated above, it may be a good idea to implement some kind of security via group policy (or other methods) instead of relying on antivirus to stop this.