Had a customer get hit with this yesterday, email attachment of .doc. Their documents folders are redirected to the server so it started encrypting files on the server, I think. File extensions were changed to random 3 numbers so I thought they were encrypted at that point. After a restore from tape backup (Symantec backup Exec) the extensions were still random 3 digits? If I renamed the file extensions to .wpd they would open fine in Wordperfect. I am thinking we caught it before it could fully execute it's payload.
Question is how does this spread across shares and mapped drives? Does it push an executable across the share/mapped drive and let it run on the server? I did see a process running on the server of kf51977.exe which I immediately ended, but every minute or so it came back with a slightly different name. I then rebooted the server and that exe stopped running.
The original attachment said it was a Word .doc, I uploaded it to virustotal and got 8/56 hits that said it was a downloader.
Anyone know how this evil process works and maybe a way to prevent it? I did some reading on CyrptoPrevent and was wondering if that would stop it on a server? (Server 2003)
Yes they are getting a new server soon!