Hi All,

Received file (prozellanfabrik_frauenthal_gesmbh.cab) in the email attachment.  After extracting the .cab file found one .scr file, when double click which opened in MS Word by default and then system got sluggish and hanged.  And after few moment all the word, excel, ppt, pdf, text and zip files extension changed with “ubvleva”.  Then we have tried to open file by renaming the extensions to original but none of the file accessed, even tried system restore

We have SEP 12x at our office which doesnt catch the Virus/Torjan at that moment.  But at evening the Virus got detected by auto protect automatically and pop-up with virus name called “Dowloader.Ponik” for the same virus file which I got through email, which I have kept for assessing/R&D.

Kindly help to decrypt those files.

Regards!

S.Kashif.Ali

The files are lost if you do not have a backup to restore from

See here:

https://www-secure.symantec.com/connect/forums/fil...

https://www-secure.symantec.com/connect/forums/new...

Support Perspective: CTB-Locker and other forms of Crypto malware

https://www-secure.symantec.com/connect/blogs/supp...

Mik2009's article on this:

Recovering Ransomlocked Files Using Built In Windows Tools

https://www-secure.symantec.com/connect/articles/r...

Ransomcrypt: A Thriving Menace (aka Cryptolocker: A Thriving Menace)

https://www-secure.symantec.com/connect/blogs/rans...

Cryptolocker Q&A: Menace of the Year

https://www-secure.symantec.com/connect/blogs/cryp...

Check the symantec article

http://www.symantec.com/security_response/writeup.jsp?docid=2012-110915-5758-99

http://www.symantec.com/security_response/writeup.jsp?docid=2012-110915-5758-99&tabid=3

To remove the Dowloader.Ponik virus permanently, you can run the symhelp tool and clean it

Download the Symantec Help (SymHelp) diagnostic tool to detect Symantec product issues

Eliminating viruses and security risks

Hi Kashif.ali,

The posts above are accurate.  What you are describing is a major malicious spam campaign that is currently underway.  The recommendations in https://www-secure.symantec.com/connect/blogs/support-perspective-ctb-locker-and-other-forms-crypto-malware will help you protect yourself.

I see the malicious file in your instance is now detected- warn your end users to expect more of these malicious files to arrive in the coming days.  Ensure that they are not opened- submit them to Security Response if they are not detected.

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions
 

Additional good advice:

https://www-secure.symantec.com/connect/forums/cryptolockercryptodefense-defenses

and

The Day After: Necessary Steps after a Virus Outbreak
https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak 
 

Please do update your thread if there is anything additional required or mark it solved if the question has been addessed.

With thanks and best regards,

Mick

I hate to say this but... Please update yourself (and other staff) with email safety lessons - NEVER, EVER run any attachments from unknown source.

I do really hope you have a very good backup to restore these files because they are forever lost.

Hi again,

Just wondering if there were any additional questions?  This thread is still marked "needs solution."

With thanks and best regards,

Mick