mj5150 0 Posted April 24, 2015 Share Posted April 24, 2015 One of our customers was infected with a couple variants of the ransomware, Win32/Filecoder.EM trojan and Win32/Injector.BYPX trojan. The HELP_RESTORE text files are all over the C: drive on the server they RDP to, dated from 04/17/2015, but the quarantined files are from 04/20/2015 and 04/23/2015. No text files on the network drives on the server. How do I find where this infection came from? I thought checking the owner under properties would tell you the source if the infection. When I checked the properties of a handful of the text files, the owner is the user profile where the file is located. Is there another way to find the source of the infection? -Mike Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted April 25, 2015 Administrators Share Posted April 25, 2015 So it was likely the owner from whose computer the infection originated. Link to comment Share on other sites More sharing options...
mj5150 0 Posted April 28, 2015 Author Share Posted April 28, 2015 I agree, but how do I found out which computer that was? I have about 25 users, none of them can recall a suspicious e-mail/attachment. At least they aren't admitting it. ESET quarantined the infection, but it is sitting in the C:\Users\<username> folder for a handful of users. -Mike Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted April 28, 2015 Administrators Share Posted April 28, 2015 Is it that users log in to the network from various computers and thus knowing the owner won't help you identify the computer? If so, I'm afraid it won't be possible to find that computer if it's clean now and the infection doesn't occur any more. Link to comment Share on other sites More sharing options...
mj5150 0 Posted May 2, 2015 Author Share Posted May 2, 2015 (edited) Is it that users log in to the network from various computers and thus knowing the owner won't help you identify the computer? If so, I'm afraid it won't be possible to find that computer if it's clean now and the infection doesn't occur any more. The issue is, the HELP_RESTORE text files showed several different owners, so it's hard to tell if all these people got infected at the same time, or if it came from one spot and then spread out to others. I was told by another person once that all you need to do to find the source of the infection is check the owner of the HELP_RESTORE text file. Well, I checked and found at least nine or ten different owners when I checked a few of those files. -Mike Edited May 2, 2015 by mj5150 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,235 Posted May 2, 2015 Administrators Share Posted May 2, 2015 Since Filecoders are often downloaded by massively spammed downloaders, it's quite likely that all those users ran a malicious file attached to a spammed email. It'd be good to have the ESET configuration reviewed and also to make sure that ESET Live Grid works on those machines as expected (you can use Cloudcar for this purpose which is similar to eicar but it's purpose is to test cloud blocking). Link to comment Share on other sites More sharing options...
Recommended Posts