I’m working an issue with a customer at the moment who contracted a computer virus which spread through their whole network, killing all machines on it. This includes servers and workstations.
Here’s what I can tell you:
- The virus itself appears to be present in the file c:\windows\samsam.exe
- A process monitor shows when it runs, it creates a file in c:\windows\prefetch (presumably to run itself on startup) as SAMSAM.EXE-<RANDOM>-PF
- It enumerates your directories and then begins encrypting files using the Windows Cryptography API.
- It creates the file c:\windows\system32\selfdel.exe
- It creates c:\windows\del.exe, which is a copy of the SysInternals SDELETE tool. It then runs the command “c:\windows\del.exe -c C: /accepteula” to wipe the free space on the disk, preventing recovery.
- Once this is done, it then wipes the samsam.exe application off disk.
- Unlike many variants of Cryptolocker, this one spreads through some yet-to-be-determined manner to other machines on the network. I have it disconnected and thus cannot see how it connects to other machines (or, if it perhaps just overwrote an executable on a network drive).
- Unlike any variant of Cryptolocker I’ve seen – it spreads to servers and runs on them as background processes, even stopping the Exchange databases and attempting to encrypt them (however, on this customer’s >1TB datastore, it just renamed it – perhaps it renames, encrypts to a temporary file and then copies over?).
- It will break the Symantec Endpoint Protection install on the machine to an unusable state.
- It is (as of this immediate moment) not detectable using Symantec Endpoint Protection or Webroot.
I am opening a ticket with Symantec and working it to provide them with the executable and process traces to get this puppy identified but for now – no Symantec tool we’ve ran picks it up.