Jump to content

CryptoWall


Recommended Posts

Hi 

 

We have just been hit by the CryptoWall/CryptoLocker virus. We are running Version 5 managed from the Remote Admin Console and fully updated with the latest signatures.

 

ESET did highlight and delete the some of the encryption html/txt files, but the PC that was infected did end up with encrypted files ending in .aaa. Thankfully I was informed quickly and was able to stop it spreading to the network shares.

 

An Exe file was found lurking in the users Temporary Internet folder. The Exe file with a random name such as wnpwfxred.exe was happily running in the background and Eset had not picked it up or attempted to kill the process. Eset had only deleted the html files/txt files containing some encryption coding.

 

I had to run MalwareBytes in order to remove the offending file as it had stopped Task Manager from running so I could not search for the offending file and kill the process myself.

 

 

Link to comment
Share on other sites

I haven't tried but I used Malware Bytes to remove it so I guess it is now gone. 

 

My concern is why Eset missed the file and did not attempt to stop it running and delete the file, surely that is what it is supposed to do. According to Eset they have never ever missed an Out in the Wild virus so what happened.

Link to comment
Share on other sites

  • Administrators

There is nothing like 100% malware detection, no security solution provides such. First of all, we need to make sure that your ESET product is configured for maximum protection, that's why I asked you if CloudCar is detected on the computer in question.

As for MBAM, it often detects registry or file remnants that are innocuous so it'd be good if you could supply us with MBAM's quarantine to analyze what it detected.

Link to comment
Share on other sites

OK when downloading the cloudcar file I was presented with a warning about the file having not been downloaded much and could be harmful. It did let me download and save the file.

 

I also tried the same file on a standalone V5 Installation and it correctly quarantined the file.

 

All machines have Realtime file system protection on, web access protection on and email client protection on, controlled by profiles from ERA.

 

The MalwareBytes log is below, I have replaced the users folder with xxxxxxx for security.

 

Malwarebytes Anti-Malware

www.malwarebytes.org
 
Scan Date: 18/08/2015
Scan Time: 14:11:36
Logfile: MBAW.txt
Administrator: Yes
 
Version: 2.1.8.1057
Malware Database: v2015.08.18.04
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Administrator
 
Scan Type: Threat Scan
Result: Cancelled
Objects Scanned: 38136
Time Elapsed: 4 min, 52 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 1
Trojan.TeslaCrypt, C:\Documents and Settings\xxxxxxxxxxx\Application Data\vcwnpd.exe, 3100, Delete-on-Reboot, [da72cb3f42496dc900bf6bf353ade21e]
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 1
Trojan.TeslaCrypt, HKU\S-1-5-21-3856658756-1690372353-575384576-1163\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|MSCONFIG, C:\Documents and Settings\xxxxxxxxxx\Application Data\vcwnpd.exe, Quarantined, [da72cb3f42496dc900bf6bf353ade21e]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
Trojan.TeslaCrypt, C:\Documents and Settings\xxxxxxxxxx\Application Data\vcwnpd.exe, Delete-on-Reboot, [da72cb3f42496dc900bf6bf353ade21e], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to comment
Share on other sites

I am confused as I have the same policy for all clients, both XP 32bit and Windows 7 64Bit.

 

I have a policy set up that is rolled out to each client. The policy has all realtime protection features enabled. When I look at the local XP machine settings Scan on file open and Scan on File Execution are set to No but on the Windows 7 Machines is set to Yes.

 

In ERA when I check the configuration via ERA it says Scan on File open No and Scan on file Execution No.

 

Why is the configuration view not reflecting the actual settings on the machine.

Link to comment
Share on other sites

  • Administrators

Please compress the content of "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine". Also collect logs using ESET Log Collector on the infected pc as per the instructions at hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3466. Upload both archives to a safe location and pm me the download link.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...