So,
My windows server box at home got hit, tonight, by a virus/spyware/malware.
In C:\program files (x86)\ I found this new directory: "1C", containing a "boot.exe" executable, which was of course running at the time of the discovery, and had been placed among the executables to be run at system boot.
I stopped it and removed it immediately, but in the rush I was silly enough not to keep it for further analysis.
Apparently, what the malware has been doing since 2:00am tonight circa, until 9:00am circa when I discovered it, is to either delete or encrypt files in various locations of my file system.
It did not hit C:
It hit G:, where my web and ftp servers are running from.
It apparently started to hit K:, which is another unit where I keep some files.
It's leaving traces (See below), so it seems it started from G: and operated progressively in every dir in alphabetic order, only to move to K: and start form the first directory, where it stopped (apparently consistent with the time when I stopped boot.exe from running).
Apparently it deletes *.JPG files, possibly others (I'll find out tonight as I get back home and start to restore the missing files).
It also leaves this files in each of the directories it hits:
[email protected] 1.2.0.0.id-IJKLLMNOOPQQQRSTUUUVWWXYZZZAABCDDDEF-2@11@2016 1@51@54 AM8203103.randomname-TUVVWXYZZZABCCDEEEFGGHIIIJKKLM.NNN.cbf
The first part of the file name is always the same (up to "ver"), the rest changes. Extension is also always the same: CBF . Finally, size is also varying, from few kb to hundred of MB, which seems to suggest that those are my files, encrypted in some way.
Fortunately, it seems I stopped it before it did too much damage - I do have current backup of all files it hit -. But, I am concerned for few reasons:
1. I have not identified which Trojan/virus/ransomwhare this is, precisely
2. I am not 100% sure I have yet removed it completely from my system. Not knowing what it is, I do not know what else to look for
3. This is really worrying: my window sever box is updated to the minute. Id downloads and installs updates as soon as they are released, automatically, and it did reboot tonight around 3:00am, so right AFTER the boox.exe file had been placed on the HDD. Unfortunately, too late.
This machine is exposed to the internet via IIS (web and ftp servers) and RDP, via ports 80, 21, 22, 443, and 3389). All other ports are closed both on the server and on the edge router in my home. I did not run anything suspicious on the server, now have I been browsing the internet from it for weeks. So, how did the malware get there?
MS has issued security updates/bulletins yesterday. I wonder if those are related to this.
What do you guys think? Any help in sorting this out is more than welcome.