cejdasan Posted July 5, 2018 ID:1254763 Share Posted July 5, 2018 (edited) We had recently problem with our server as it got encrypted and ransom was asked for. We since reinstall it and rebuilt it from back-ups. In the search where the problem come from we identified the possible problem on an old Windows XP machine which we use for legacy compatibility issues with our CNC router as the software which drives the router is incompatible with any higher version of Windows. Malwarebytes found Trojan.Injector.AutoIt exploit and removed it (report attached). When I was looking to find out what this exploit allowed the attacker to do with other computers on the network I did not find much info about it. The guy who we contract to take care of our computers left me a note in Notepad (session was dealt with remotely through TeamViewer) which read this: ''AutoIt is quite safe - but scriptkiddies use it to write malware....'' I later found that it is partial reply from post on AutoIT website where false positive is discussed in relation Malwarebytes detecting the AutoIT.exe file as potential threat and I was somewhat disappointed with our network administrator answer in regards of the malware detection. The machine is now barred from accessing internet but is stil connected to intranet to get access to machining files otherwise we would need to physically save it on USB stick and carry the files to it and then take the programmed machining files again back so they can be archived for futer use. Could you comment on Trojan.Injector.AutoIt detection and what it could possibly allow the attacker to do? Could you also comment whether the PC with Windows XP SP3 is safe on an intranet network while it's network card MAC address is prevented by router from accessing the internet? MalwareBytes Report.txt Edited July 5, 2018 by cejdasan spelling errors Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 10, 2018 Root Admin ID:1255759 Share Posted July 10, 2018 Hello @cejdasan and Sorry for the delay This is a left over from what looks to be Cryptowall variant infection. Not sure if it got files from your server or it was the one infected and attacked shares on the server. They are harmless text files. The infection would appear to be gone. If you run across files like "help_your_files.png" you can just delete them. Then current name we use is a bit misleading is all. Thank you Ron Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 10, 2018 Root Admin ID:1255780 Share Posted July 10, 2018 There is a tool for removing Ransom notes. One of my colleagues reminded me of it. https://www.bleepingcomputer.com/download/ransomnotecleaner/ Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 21, 2018 Root Admin ID:1257918 Share Posted July 21, 2018 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts