The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
These instructions describe what to do on receipt of a Zombie or Spam alert email, and how to clean up the affected Windows computer.
Note: ZombieAlert can be configured to send you the sample message as seen by SophosLabs.
Applies to the following Sophos product(s) and version(s) Sophos Anti-Virus for Windows 2000+
Upon receipt of a Zombie or Spam alert email, as the administrator, you must first identify which system on your network has generated this alert. The IP address in the email is the external IP address, and you will need to look within your own firewall, core switch, or network appliance, to map that external address to the system's internal address.
Any systems listed on the alert that have a publicly facing IP will be easy to identify.
If the internal system's IP address is behind a network device with an NAT, you will need to review the network device routing table to map the external IP address to an internal IP address. You should refer to your network device documentation to perform this step correctly.
Once you have identified the internal IP address, you will need to use your internal resources to find the computer's location. One way to locate where a node is plugged in is to look at the network switch logs.
All organizations have different methods of identifying where their systems are physically located, use the method that best suits your environment.
Once the computer has been located you should ensure the computer:
If SAV is installed and up to date: Disconnect the computer from the network and run a full scan on the computer - either from the central console or locally. If SAV is not installed or has not updated recently you should attempt to install and/or update it now. However if this is problematic consider using:
Note: Before running a scan it is recommended that you disconnect it from the network and leave it disconnected until you have scanned the computer, cleaned up any threats found, and completed steps five below.
Remove any files that may have required a reboot for cleanup to completer or were locked during the scan, as described in the knowledgebase article on removing problem files.
Check that the computer is up to date with Windows Security Patches. For example, refer to an up to date computer on your network, and compare the hotfixes loaded. Alternatively, check with Windows Update or the Microsoft Baseline Analyzer. After you have identified what security patches are missing, download them from Microsoft, put them on CD or USB drive (locked), and install them.
Once you are satisfied with the state of the computer you should reconnect it to the network.
Monitor this computer and your network firewall, and similar equipment, to make sure there are no further unknown port communications, or other suspicious behavior occurring.
If you encounter further problems, contact technical support saying that you are using these instructions, and which step you are having difficulty with.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.