Jump to content

Malware encoded Word and PDF files - recovery question

Recommended Posts

Hi everyone,


First time poster here and I thought I'd see if anyone in this community has had to deal with a similar issue and recover from it.  Let me just say that the malware that caused this issue has been removed and dealt with and is no longer an issue.  It is the cleanup process that I'm interested in.


One of the users on our corporate network received a zip file that contained some malware that slipped through our AV protection.  He of course thought it was legitimate and opened it up and then realized his mistake.  He noticed soon after that Word and PDF docs on his desktop became encoded and unreadable, with Word prompting for the proper encoding to display the file.  Adobe Acrobat simply said the file was damaged.


After discovering this, isolating the file and removing it, we also noticed that the malware had scanned a network drive and began changing files on this network drive.  Thankfully we caught it and stopped it before it did a whole lot of damage.  I've been able to restore most files from backups but there are some that we cannot restore and now have some unreadable files.


The malware itself was detected as a "Trojan.dropper" but otherwise MBAM and McAfee AV gave no specific name.  It was located in the following directories (win 7) and had the following file names





The 2nd file ran as a background process and when attempting to Taskkill the open process by ID number, it  prompted a message on screen with the famous line from the Terminator movie, "I'll be back."  I laugh about it now, but it wasn't funny at the time (smart @$$ hacker).


It also wrote entries to the registry under HKEY_CURRENT_USER in both the Run and RunOnce keys so that it would load on startup.  With the process running, it would automatically recreate the registry entries if you tried to delete them.


So that's the malware info.  Now for the damage it did.


At first I thought it might be one of those new Crypto viruses that encrypt files using high-level encryption and ask for a ransom to get the key to unlock all files.  It's not one of those thankfully.  This piece of malware actually changes the contents of Word and PDF files, changing the encoding to display in what looks to be Asian characters some kind, according to Google translate, its Korean.  I can provide a plain-text sample if anyone wants to check it out.


I can open the Word files in plain text by changing the encoding type, which shows the Asian characters.  So the files are accessible only changed.


What I wanted to know is:


Has anyone experienced this type of malware before?  Searching online has not yielded very much information.


Does anyone have good method of recovering files like this and reverting them back to their original form or at least recovering the data?  I'm looking at a few different types of software, but so far tests have not worked.


My fear is that the actual text has been deleted and replaced but my hope was that it was just changed and may be possible to recover.  I translated a document on Google translate, which told me the language was Korean but all it came back with was more symbols in the translation.


Any tips or information you might have would be helpful.  Thanks!

Link to post
Share on other sites

I haven't either and there's no information I can find about it online or something similar.  In a way that's good, then maybe this thread will help someone.


Tested the Panda software and as expected, it didn't work as the files are not encrypted.  I've never used Shadow Explorer but just using Windows native restore process takes care of restoring Shadow copies.  But if necessary, I'll give it a look.  Thanks.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.