"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
PE file infectors are some of the most damaging viruses you will come across. They work by adding a copy of themselves to executable files on a computer and/or remote source
Removing them can be very difficult. Please follow the steps below.
Applies to the following Sophos product(s) and version(s) Sophos Anti-Virus for Windows 2000+Sophos Anti-Virus for Windows 95/98 Operating system Windows
As briefly mentioned above PE infector viruses will add a copy of themselves into executable files, including (but not limited to) .exe and .scr. Once a computer becomes infected the virus can spread very quickly to other machines. The more computers are infected the harder it is to remove.
Generally what will happen is an unprotected computer will be infected by the virus. Once the infected files are run they will be running in memory and so will the virus. As it comes across the other executable files on the computer it will infect them as well.
Note: Executable files will not be infected if write permissions are denied.
In a lot of large networks, some applications are run directly from the file servers. If an infected computer (Computer-Zero) attempts to run the remote files they will become infected. The next time a clean computer (Computer-One) runs that file, that file will be able to infect all of computer-One's files and any other remote files it comes into contact with.
Obviously on large networks such as the example above the virus would be able to spread very quickly. Please note that this also means any removable media will also be infected if plugged into a computer running the viral code.
If you are using an Enterprise Console or Sophos Control Centre you will be able to see and generate infection reports of managed computers. Please note that if a computer has not been protected/managed by the Enterprise Console/Control Centre you will not know it's status. It is therefore very important to keep your computers protected and monitored.
Any computer with a PE infector-type virus should be disconnected from the network immediately to prevent further damage to the network. This includes servers as many clients will connect to servers and be at risk.
Note: File infectors 'infect' files, so they will need to be disinfected, please ensure you do NOT use -remove or delete.
Generally there are 3 levels:
This will depend on the level of infection (see step 3 above). Log on as an administrator and perform the following on the infected computer(s), ensuring that you unplug them from the network before you start:
You will need to use SAV32CLI within Safe Mode to disinfect the files. Safe Mode has less system and application files running, so cleanup of the files will be easier.
To create the SAV32CLI CD, please see the following article: Disinfecting PE executables using SAV32CLI. You will need to customise the scan slightly with the following:
Place the CD you made in the CD drive (D: in this example).
SAV32CLI -PUA -EXCLUDE * -p=%TEMP%\SOPHOS_MEMLOG.TXT
If SAV32CLI comes across an infected file that is still running it will output something similar to below:
>>> Virus 'W32/Vetor-A' found in file C:\Windows\explorer.exe:pid:000014e8:file >>> Virus 'W32/Vetor-A' found in file C:\Windows\explorer.exe >>> Virus 'W32/Vetor-A' found in file C:\Windows\explorer.exe:pid:000014e8\FILE:0000
You will need to open Task Manager or Process Explorer and end all of the running process mentioned in the SAV32CLI scan results. Once you have closed these running processes you will need to start the scan again with the following switches. SAV32CLI will now be able to disinfect the previously locked files.
SAV32CLI -DI -P=C:\LOGFILE2.TXT
You should repeat the scan on the computer until no further infections are found. If core system files (i.e. files that cannot be killed easily, such as services.exe) have been infected you are best off replacing such files using Windows Recovery Console and a CD of the operating system as you will not be able to disinfect these within Safe Mode with SAV32CLI.
File infectors commonly misinfect files, breaking them, so even if they are disinfected they will still not work. Any files left over after the disinfect scan should be replaced from a clean copy.
If you are having trouble with this, or there are too many files to replace, please contact Sophos Technical Support and forward a copy of the LOGFILE2.TXT created by the SAV32CLI scanner.
Only connect computers that are fully clean, otherwise the infection could re-occur and continue spreading.
Removable media can be easily infected by these types of viruses and if you are not careful the virus can be reintroduced into the network on such devices. If the Sophos on-access scanner is active and set to on-read it will prevent such files from executing. However, if such a device is plugged into an unprotected computer you could end up back at square-one.
You should ensure that all removable media is thoroughly cleaned before it is allowed back into general use. We would recommend that you have a policy in placee to check all media before it is used on machines - a scan from a Sophos protected Linux, Mac or isolated Windows computer would be the safest way of doing this.
Sophos Endpoint Security and Control customers may find use of the Device Control functions to restrict the use of removable media. Please refer to the product documentation for more information.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.