First time poster, long time reader - hope you're all well?
I have a strange problem which has been driving me slowly nuts over the last 24 hours. We have a couple of network shares that seemed to be behaving strangely. Examining the shares revealed three new files in the root of the share:-
All three were marked as read only, system, hidden files. Then throughout the drive; all Excel and Word files were being hidden and replaced with a shortcut (a .lnk file using the same name as the now-hidden file).
The .lnk file would load CMD.exe; start the thumbs.db2 file; then run the relevant correct program (word or Excel) and the file - a typical shortcut would look like this:-
C:\WINDOWS\system32\cmd.exe /C start \thumbs.db2 && start winword.exe "~$J claim form detail.doc"
I've scanned all three files above using virustotal.com and they come back clean - thankfully at the end of the report, it provides a guess on what it thinks the files are; so it turns out the .ini files are actually Excel and Word icon files (used to mask the shortcut with the correct Office logo) and the thumbs.db2 file is an executable.
I've tried decompiling the thumbs.db2 file using IDA Pro Free V5, but I'm by no means a coder; so can't see what else this file may be doing.
the only form of proagation we can therefore see is when someone tries to run a spreadsheet or document; they are kicking off the process to scan all Excel and Word files.
AFAIK this process doesn't seem to affect local documents, only on network shares.
I've not attached any files; but the report for the thumbs.db2 file from Virustotal.can be found here:Link to virustotal.com scan report for thumbs.db2
Needless to say, I've tried a *lot* of Googling to get to the bottom of this, but can't find anything beyond the usual "If a piece of malware hides all your files run attrib... to reset"
So, do I have anything to worry about; or should I just keep squashing this process until it stops (it does seem to be slowing down today)
Your thoughts, further queries and pearls of wisdoms will be greatly received!
Thanks in advance