New Virus – samsam.exe!

I’m working an issue with a customer at the moment who contracted a computer virus which spread through their whole network, killing all machines on it. This includes servers and workstations.

Here’s what I can tell you:

  • The virus itself appears to be present in the file c:\windows\samsam.exe
  • A process monitor shows when it runs, it creates a file in c:\windows\prefetch (presumably to run itself on startup) as SAMSAM.EXE-<RANDOM>-PF
  • It enumerates your directories and then begins encrypting files using the Windows Cryptography API.
  • It creates the file c:\windows\system32\selfdel.exe
  • It creates c:\windows\del.exe, which is a copy of the SysInternals SDELETE tool. It then runs the command “c:\windows\del.exe -c C: /accepteula” to wipe the free space on the disk, preventing recovery.
  • Once this is done, it then wipes the samsam.exe application off disk.
  • Unlike many variants of Cryptolocker, this one spreads through some yet-to-be-determined manner to other machines on the network. I have it disconnected and thus cannot see how it connects to other machines (or, if it perhaps just overwrote an executable on a network drive).
  • Unlike any variant of Cryptolocker I’ve seen – it spreads to servers and runs on them as background processes, even stopping the Exchange databases and attempting to encrypt them (however, on this customer’s >1TB datastore, it just renamed it – perhaps it renames, encrypts to a temporary file and then copies over?).
  • It will break the Symantec Endpoint Protection install on the machine to an unusable state.
  • It is (as of this immediate moment) not detectable using Symantec Endpoint Protection or Webroot.

I am opening a ticket with Symantec and working it to provide them with the executable and process traces to get this puppy identified but for now – no Symantec tool we’ve ran picks it up.