Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Some Virus has corrupted many of our Microsoft Office files and PDF files.

Created: 04 Oct 2013 • Updated: 04 Oct 2013 | 47 comments

We have an issue where many of our Microsoft Office files (excel, word) and pdf files have been corrupted.  I get errors saying that the 'File is not in a recognizable format' for excel.  The PDF files says that it's not a supported file. 

Even pictures files are corrupt.  Excel and Work will open the file but it is all garbage characters everywhere.

We are on an older version of SEP (11.0.6300.803) and I'm working on getting the update.  Is this a known virus?  Can we recover these corrupted files?

Our backup retention period pass so I could not recover from backup.

Please help!!!

Thanks,

Jasper

Operating Systems:

Comments 47 CommentsJump to latest comment

.Brian's picture

Is anything showing in the SEP clients risk log?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

568628263's picture

There are a few items that showed up on the risk log.

Trojan.Gpcoder.E

Downloader

Trojan.Maljava!gen17

Infostealer.Bancos

Trojan.Dropper

 

I looked these up and none of them seem to cause the issue we are having.  Either way, I have been taking each one of these machines and wiping them clean just to be on the safe side.

Thanks!

Jasper

Support-mcc's picture

We too were just hit this afternoon.  All WORD, EXCEL, and now we see PDF's are all corrupted.  I noticed one user on are terminal server accessing 800-900 files at a time.  I suspect that his session is the soruce of the attack. 

I have run a FULL scan using 12.1.3001.165 and it found NOTHING ! ! !

Nothing in any logs.

Do not want to restore from backup, if I can't detect where the problem is.

 

HELP Symantec?

 

.Brian's picture

I would open a case immediately and get a sample submitted

http://www.symantec.com/security_response/submitsa...

Also, try running the symhelp tool

How to collect and submit to Symantec Security Response suspicious files found by the SymHelp utility

Article:TECH203027  |  Created: 2013-02-21  |  Updated: 2013-05-23  |  Article URL http://www.symantec.com/docs/TECH203027

 

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Support-mcc's picture

So I click on yhe link, and I get A symanctec page saying UNIVAILABLE.  Great!

univailible.jpg
.Brian's picture

Which one?

Both are working for me.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Hi Jasper and Support-mcc,

Ther are a lot of threats in circulation that will encrypt documents on a victim's computer and then prompt for a ransom to be paid to unlock them.  In many cases the file extension of Offic documents is changes to .crypt or similar, and the author has made it clear how to make contact and pay them.  (There is no guarantee that that an unlocking method even exists.  Often times they will just keep demanding more and more money from anyone who they have caught.)

Unless you are seeing such a note from the malware author, there's no guarantee that what you are seeing is in fact ransomlock.  Perform a Load Point Analysis check on affected computers using the Symhelp tool, but also make sure that your Adobe or MS product is working correctly.    

Do isolate any affected computers, submit any suspicious files that you find, and (above all) make sure that all of your important materials are backed up.  The defnese against these ransomlockers is to block the malicious process.  Any files already encrypted will not be recovered by SEP.

 

With thanks and best regards,

Mick

568628263's picture

Hello,

This virus does not ransom our files.  There is no prompt beside the one that says the file format is not recognized.

This virus just corrupts the files.  Virus scans show NO infected computers at this point.  I will try to perform a load point analysis and post the results as soon as I can.  As for the backup, our backup retention period has passed and we no longer have a clean backup.  The symtoms were identified too late.

Any help would be greatly appreciated!!!

Thanks!

Jasper

hawkeye304's picture

I am also having the same issue.  Had a user report this issue with file on his C: drive last week.  Then it was reported with files on the server yesterday and I was told the problem has been there for 2 weeks!  Office files, PDFs and now their quickbooks files are corrupt.  Not sure what else.  Haven't found any virus yet and no messages wanting money.

MENOWAK's picture

Had this issue as well this Sunday.  Shared drive on server and local workstation had all DOC, XLS and PDF files corrupted as described by OP.  However, all JPEG files remained unaffected.  Had to restore drives with recent backup.   Got past Symantec Endpoint Protection with all current update but Trojans were detected and cleaned during full scan on Sunday-  Trojan.Ransomcrypt.F, Trojan Gen.2 and Trojan.Zeroaccess.C  However the scan found too late,  after the  files were corrupted.

568628263's picture

I have submitted the issue to Symantec.  Hopefully I can shed some light on this soon.

I'll keep everyone posted. 

 

Jasper

568628263's picture

Symantec thinks it is a cryto logger virus.  Although there is no indication of this on our network. 

However, they said there is no way to recover the lost data.

Does anybody know of any software that can recover corrupt excel, word and pdf files?

Thanks,

Jasper

khuang316's picture

Also got several users with the same problem running Windows 7 pro SPK1 with MS Office 2007 and 2010. Updated Engine to 12.8.6.37. Fun thing is that when you open new Office or Acrobat files they open fine.

Kenny

technical1's picture

Definitely Cryptolocker.  I had the same issue and it turns out the users laptop was taken out of the office sometime after he got infected before the sep scan picked it up and reported to the console.  As soon as he returned and connected it SEP caught it on his machine.  Restored all files in the affected share on the file server from backup and cleaned up his PC.

Michael B.'s picture

Have a user reporting CryptoLocker.  There is no known recovery for the encrypted files.  Apparently the user did not get a pop-up screen until after the virus had scanned and encrypted all files it found.  The virus will encrypt all user documents both local and found on network drives.

This user got the screen as shown in the link from the emsisoft.com site below.

http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/

http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomware-variant/

Does Symantec have a definition set that will detect and block this virus BEFORE it creates damage?

Note suggestions in the thread on bleepingcomputer regarding blocking .exe files from running from %appdata%\*\

Follow the link in the 1st post in the bleepingcomputer forum (see link above), then read down from there..

568628263's picture

F_Mill,

 

I tried the SysInfoTools but had no such luck.  Do you know of any other software that might recover these files?

Thanks,

Jasper

angelina410329's picture

i happen to know one software which can help you with that.  It can easily recover deleted PDF file, formatted PDF file, etc. Even if your hard disk drive was lost, this software can still recover the PDF file.ps, it is gratis.smiley

flnycus's picture

Our office has just been hit by this as well. On Oct 17th. No pop ups, no demands for money. The computer was turned on in the morning and all word, excel, pdf files will not open. Just the file format nort recognized problem. Im with Jasper, is there any way to recover the files. The names, extensions, size all appear to be correct. There are thousands of files seemily encrypted. Emsisoft Decrypter did not work in this case.

 

Thanks.

Mick2009's picture

Followers of this thred may be interested in this new blog post from security Response:

Ransomcrypt: A Thriving Menace
https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace

and also these resources:

Additional information about Ransomware threats
http://www.symantec.com/docs/TECH211589
 

Definitely backup all important data regularly, keep your AV definitions up-to-date, and deploy the IPS component of SEP if you are not already using it!

 

With thanks and best regards,

Mick

Yanks299's picture

Hello Everyone,

A client just gave me his PC and it was infected with the Crypto Locker Virus.  I was able to remove virus, but it has corrupted all excel, word and PDF files.  But it did try to get money from him.  Luckily he did not fall for this scam.  Unfortunately I can not get to any of his data files except for his pictures.  I will try the SysInfoTools to convert corrupted files and get back to you.  If anyone is able to get their data files fixed, please let me know because the customer did not have a backup.

 

Thank you

ColmaJa's picture

I have the seen the same with a few users. No pop ups, no demands, just all .doc, xls, and .pdf files are encrypted say the file format is not correct, etc. 

 

We think users get this virus via an malicious e-mail. The subject line mentioned something about a 'voicemail' and to open the attachment to listen to the voicemail. 

I guess there aren't any real fixes for this yet. Total bummer. 

ecguy's picture

I am not sure if this is against the terms of the site to post outside links or not but I just saw this and thought it might apply to the conversation.

http://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/

Once again, not sure if this violates the terms of the site or not, but I have found this can be a use tool for removing infections for machines, not sure if using this would be a violation of any license agreements either.....

http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline

DDD Algeria's picture

We have received two cases this week with the same symptoms but no money ransoms: Word, Excel & PDf files corrupted: The two drives are infected with mabezat worm virus but we know this virus doesn't  corrupt files... so it seems the two cases are linked to cryptolocker virus

We are trying to recover files: in case of success we will feed you back

The challenge now is for us=Data Recovery Companies: is anybody able to recover corrupted files?

Please inform us in case of success!

Disk & Data Recovery -Algeria

Mick2009's picture

This new article may be of interest to followers of this thread:

 

Recovering Ransomlocked Files Using Built-In Windows Tools
https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools

With thanks and best regards,

Mick

edwalsh01's picture

This has just happened to us where office and pdf documents wont open. I found that two of my users got emails from voicemail message that had a .zip file attachment. once they opened it all office and pdf files on the network drives were corrupt.

.Brian's picture

Revert to backup if you can otherwise, unfortunately, the files are lost.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Analog guy in a digital world's picture

Greetings all.

Just read an article on MSN.COM regarding this threat.

Author suggested that FRESH and COMPLETE (rather than incremental) outside backups be used as a preventive counter-measure.

This is because some of those data files from incremental backups may be infected and may perpetuate the problem.

I am therefore in the process of buying two ADDITIONAL external fixed disks for backups.  Because I backup about every two weeks, and because MSN reports that it takes about 3 days for this malware to encrypt data files and make its demands, this will provide me with CLEAN backups of my data, application, and OS files that are two, four, and six weeks old respectively. 

Among those data files I will  almost certainly lose some of my recent work (as well as AV updates and Windows updates). 

That's life.

Analog guy

richardwholt's picture

Volume Shadow copies on the windows server saved my bacon. We take 3 per day at 07:00, 12:00 and 17:05
It took hours before the AV and Antimalware software providers were able to release an update to recognise the virus on the affected machine but I could see huge volume of open files from it so knew which machine to isolate.

I can see that these threats from e-mails are going to be a major problem in the future as the writers could technically send slightly different variants to each mail address attacked to thwart the AV software's response and because users respond by opening these important looking messages quickly there will be no protection. As inconvenient as it may be I would suggest the blocking of attachments or using a mail-transport based attachment scanner that can scan inside zip files and remove all zip files with .exe and .com inside them.

Mick2009's picture

Hi richardwholt,

VSC is an excellent tool- glad to hear that it helped you overcome this threat. &: )

A mail security product is absolutely recommended against the spred of this and related threats.  The following article may be of interest:

Cryptolocker Alert: Millions in the UK Targeted in Mass Spam Campaign
https://www-secure.symantec.com/connect/blogs/cryptolocker-alert-millions-uk-targeted-mass-spam-campaign

An additional reference....... Two Reasons why IPS is a "Must Have" for your Network

 

 

With thanks and best regards,

Mick

Geezer1948's picture

A month or so ago, as directed by MS Support, I reinstalled my entire suite of Office 2010 products. (I had been receiving messages that my 'free trial' was about to expire, although I had purchased the whole deal 3 years ago). I still have my original disks so they sent me a new product code & I uploaded it, and weird things have been happening ever since.
A) Links in emails and in word documents no longer work, instead, giving me a message [General failure. The URL was: "*.*" Application not found.] Have been able to work-around by copying the hyperlink and pasting in IE. (Ironically, email links still seem to work.)
B) Then I started having a problem when returning to Outlook after going elsewhere on the net. I'd return to my original email or document only to get a message that the page was no longer available because it was "changed or altered by another user"! I am the only user, so this was clearly BOGUS, but was again able to work-around by closing & reopening Outlook.
c) Now I am finding that new text I type into the body of a new or reply email comes out in a 1 or 2 point font, which I can barely read. Yes, I can HIGHLIGHT the text and update the font to 20 or so to get a readable message, but I don't yet know what my recipients are seeing at the other end.

If anyone can help me with any of these issues, I will be very grateful.
Thanks,
Dan

Curtis Anne's picture

Howdy,

Word may have automatically saved your file.When you start Word the next time, if any AutoRecover files were found, results will be displayed in the Document Recovery pane. Auto recovery option for word 2007 are below:
1 Click the Microsoft Office Button, and then click Word Options.
2 In the Navigation Pane, click Save.
3 In the AutoRecover file location box, note the path, and then click Cancel.
4 Close Word.
5Open the folder that you noted in step 3.
6 Look for files whose names end in .asd (AutoRecover files).
7 If you find the Word document that you are looking for, double-click it to open it.
8 Save it immediately.

For other type of word format I did not know but you you can trust  Quick Recovery for Word Data Recovery Software developed by Unistal Systems. It is skilled enough to recover all type of possible recovery.

smileysmiley

Curtis Anne | INDIA

Software Consultant

Osbert's picture

Guys i really need your help, my computer was attacked by the virus and it it corruptd all my office and pd documents, i cant open them, what can i do, please help below is the error i got on my sreen all in RED color.

Cryptolocker Alert

568628263's picture

I'm sorry but I don't believe there is any recovery from this.  I have tried all types of solutions to recover corrupt files but not one of them worked. 

I'm convinced that Symantec does NOT protect us from this virus because I upgraded Symantec Endpoint to the lates version, turn on every possible feature to protect us and we just got hit again 4 days ago.  Fortunatly, we had a full backup right before we were hit so I was able to restore our files.

I'm sorry to say but I think it's a lost cause.

Haflar's picture

I have a similar problem. After saving a Word document, it can be opened for a short while afterwards. But after a certain amount of time, it becomes corrupted. The same thing goes with "saved files" in games (the files cannot be loaded) and the files in the program "Maple". When opened in Maple, it sees the document as a text file, and once opened, a lot of characters and numbers are shown. I have had the problem for a while now, but somehow, one day, all documents and saved games could be opened, but once my computer was shutdown, the problem appeared again.
I have made several virus scans, but it has found nothing. After following the previous instructions in this thread, I have also tried to run a SYMHELP scan, and yet nothing was found.

Can anyone help me in anyways?

Regards

carolcarol's picture

yesterday i have same problem but it name is CRYPTORBIT, oh God i can not open word or PDF and ... files please some one help me

HOWDECRYPT.GIF
JUSTICE's picture

@CarolCarol,

What version is your SEP client software? Are we talking about a managed or unmanaged SEP endpoint. Please advise ASAP. I have to assume with the alert posted IDS/IPS - if managed was not configured by your SEPM admin(s).

Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

Mick2009's picture

Hi CarolCarol,

Cryptorbit is one example of the ransomware variants currently in circulation.  Samples have been submitted to Symantec Security Response and protection is available in current definitions. Can you provide more information about your infection? 

The following article may be of interest:

 

Recovering Ransomlocked Files Using Built-In Windows Tools
https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools

Many thanks,

Mick

With thanks and best regards,

Mick

SameerU's picture

Hi

Today morning we have observed the same issue, can any one tell how can we resolve at the earliest

Regards

 

Mick2009's picture

Hi SameerU,

Symantec added detection for "Cryptorbit" about 3 weeks ago.  Initially this was called Trojan.Cryptolocker.C, then later renamed Trojan.Nymaim.B.

IPS protection is also available: System Infected: Trojan.Ransomlock.AJ

As with all threats, new variants are always appearing (1.5 million new threats in circulation every day)- definitely submit any currently-undetected suspicious files to Security Response for examaination!  

Ensure that all endpoints have up-to-date protection, IPS and other components enabled, and that all machines are patched and have a workign backup schedule for important data.

The Day After: Necessary Steps after a Virus Outbreak
https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak

Hope this helps!

Mick

 

With thanks and best regards,

Mick

.Brian's picture

If you have a backup, you can restore from that. Otherwise, it's likely that those files are gone (assuming you don't pay the ransom --- Don't!)

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Elies_1969's picture

I faced this issue many time because of my heavy download hobby But I found a brilliant solution to face it here : http://www.onlinedatarecoverysoftware.net/windows-data-recovery.html

No I am downloading many things without any fear..

creativegb's picture

I am using Windows XP (SP3) and Avast Free Anti Virus. Suddenly, I received a Message from my Avast Anti-Virus application that it has attached a 'small Note' to an uploaded file -- whereas I had never uploaded any file that day. This was probably the stage when Cryptolocker uploads the User’s information (User’s Account Name under ‘Documents and Settings’) and also a cryptographic key to a server online.

When Cryptolocker was still encrypting my files (silently behind the scenes) I switched off my PC -- not knowing anything about the said Viral Attack.

Upon reboot, the first indication that something was amiss was given by the missing Desktop Wallpaper. When I went to 'My Pictures' folder I found that no 'preview' of images in this folder was available; moreso, Desktop ‘Display Properties’ window (for fixing the missing wallpaper) also crashed.  At this stage, I found that almost ALL ‘.exe’ files failed to open, including my Avast Free Anti-Virus. 

The only hint of what was wrong was an Error Message about 'file permissions' -- when I opened Properties in ‘My Pictures’ folder => Security tab I found two new 'Account Unknown' entries at the Top of the List of Owners, and these had inherited the 'permissions' from a higher level of folder than 'My Pictures' (i.e. from the current User under ‘My Documents and Settings'). So, I first broke the chain of 'inheritance' from parent folder, and then DELETED the said two new Owners -- from the topmost folder upto ‘My Pictures’.

To view a missing Security tab, open Folder Options in Control Panel. Click Start, and then click Control Panel. Click Appearance and Themes, and then click Folder Options. On the View tab, under Advanced settings, clear ‘Use simple file sharing [Recommended]’.

Since I was repeatedly getting an Error Message about Adobe, it was suspected that the external server connection was being established through Adobe. Hence, I DELETED Adobe Updater from the following Registry entry:

H_KEY_CURRENT_USER => Software => Microsoft => Windows => CurrentVersion => RunOnce

Thereafter I used the simple steps for restoring file association for ‘.exe’ files, and for previewing images, e.g.

i) regsvr32 %systemroot%\system32\shimgvw.dll

ii) Click Start, and then click Run. Type "command.com" , and then press Enter. (A DOS window opens.) Type the following: 
         "cd\"
         "cd \windows" 
    Press Enter after typing each one. 
Now type/copy "regedit.exe regedit.com" and then press Enter. 
Type "start regedit.com" and then press Enter.  
Navigate to, and select the key:
     HKEY_CLASSES_ROOT\exefile\shell\open\command 
In the right pane, double-click the (Default) value. 
Delete the current value data, and then type: 
     "%1" %* 
 Tip: Type the characters: quote-percent-one-quote-space-percent-asterisk. 
Close Regedit utility.

Ran Kaspersky online Virus scan and, thereafter, my Avast Antivirus (both Quick Scan and Boot-time Scan).

Since I regularly backup my important Documents on DVDs, I restored the same on my PC from the backup.

Hope this helps those affected by Cryptolocker.

. Suddenly, I received a Message from my Avast Free Anti-Virus application that it has attached a 'small Note' to an uploaded file -- whereas I had never uploaded any file that day. This was probably the stage when Cryptolocker uploads the User’s information (User’s Account Name under ‘Documents and Settings’) and also a cryptographic key to a server online.

When Cryptolocker was still encrypting my files (silently behind the scenes) I switched off my PC -- not knowing anything about the said Viral Attack.

Upon reboot, the first indication that something was amiss was given by the missing Desktop Wallpaper. When I went to 'My Pictures' folder I found that no 'preview' of images in this folder was available; moreso, Desktop ‘Display Properties’ window (for fixing the missing wallpaper) also crashed.  At this stage, I found that almost ALL ‘.exe’ files failed to open, including my Avast Free Anti-Virus. 

The only hint of what was wrong was an Error Message about 'file permissions' -- when I opened Properties in ‘My Pictures’ folder => Security tab I found two new 'Account Unknown' entries at the Top of the List of Owners, and these had inherited the 'permissions' from a higher level of folder than 'My Pictures' (i.e. from the current User under ‘My Documents and Settings'). So, I first broke the chain of 'inheritance' from parent folder, and then DELETED the said two new Owners -- from the topmost folder upto ‘My Pictures’.

To view a missing Security tab, open Folder Options in Control Panel. Click Start, and then click Control Panel. Click Appearance and Themes, and then click Folder Options. On the View tab, under Advanced settings, clear ‘Use simple file sharing [Recommended]’.

Since I was repeatedly getting an Error Message about Adobe, it was suspected that the external server connection was being established through Adobe. Hence, I DELETED Adobe Updater from the following Registry entry:

H_KEY_CURRENT_USER => Software => Microsoft => Windows => CurrentVersion => RunOnce

Thereafter I used the simple steps for restoring file association for ‘.exe’ files, and for previewing images, e.g.

i) regsvr32 %systemroot%\system32\shimgvw.dll

ii) Click Start, and then click Run. Type "command.com" , and then press Enter. (A DOS window opens.) Type the following: 
         "cd\"
         "cd \windows" 
    Press Enter after typing each one. 
Now type/copy "regedit.exe regedit.com" and then press Enter. 
Type "start regedit.com" and then press Enter.  
Navigate to, and select the key:
     HKEY_CLASSES_ROOT\exefile\shell\open\command 
In the right pane, double-click the (Default) value. 
Delete the current value data, and then type: 
     "%1" %* 
 Tip: Type the characters: quote-percent-one-quote-space-percent-asterisk. 
Close Regedit utility.

Ran Kaspersky online Virus scan and, thereafter, my Avast Antivirus (both Quick Scan and Boot-time Scan).

Since I regularly backup my important Documents on DVDs, I restored the same on my PC from the backup.

Hope this helps those affected by Cryptolocker.

lydia linton's picture

hi,

    Viruses really creates frustrating problem..It is like an obstacle which prevent us from what we are doing..If your pdf file has got corrupted then you must use PDF Repair Tool..This tool provides a complete solution for repairing and recovering your corrupted pdf file..i had earlier used this tool and it provided me effective results quickly...

jonysunami's picture

Virus is very dangerous thing for every computer software, and the big reason of file corruption. By the way I have great solution of this problem, you try third party PDF file repair tool, which repair any type of corruption from PDF files. Best choice is Kernel for PDF file repair tool try it..