22 February 2012
We encountered a nasty virus last night, which kept us busy through today. A Windows 2003 SBS box was the victim. Booting to normal mode, resulted in a splash screen titled, ACCDFISA Protection Program. Followed by a few paragraphs written in broken English, claiming the server had been infected with a virus, which was causing it to send spam mail. As a result the ACCDFISA, or the "Anti Cyber Crime Department of Federal Internet Security Agency" had locked down the machine, and would be happy to unlock it for $100 or 100 Euros. A phone number and paypal information were also present in the message. Out of curiousity I tried the number. The phone number is a Google Voice number, which leads to a recording of a woman using a European accent, to alert you that all ACCDFISA representatives are currently busy. I'm sure they are, as it takes time to be an *******.
We were unable to boot to safe mode, and attempting to access task manager on normal boot, was in vein. The virus would not allow a full boot to the desktop. Task manager never appears when trying to launch from ctrl alt del. When shutting down, the desktop, task manager, etc., would appear for a moment as the machine is going down.
A Google search returned absolutely no results for the virus. 24 hours later, I now see one other report of it on Google. Fortunately our AV vendor, GFI Vipre Anti-Virus, took ownership of the issue. By booting the server to a mini XP image, their Critical Response Team, was able to access the box, and clean the registry.
The virus removes your Safe Boot registry hive, which is why you won't be able to get to safe mode. To add insult to injury, it encrypts document, spreadsheet, pdf files, etc, with AES encryption. You might find a way to crack the encryption, but we chose to restore the files from backup.
The virus will change your IP address to a 172.168.x.x scheme, which makes the box inaccessible over the network. It also makes it inaccessible from the outside, while the infection is active, so I suppose that is a bright side.
If you are able to access the registry through a mini xp or similar utility, and you are familiar with working in the registry, the executables causing most of the problems are
Originally the Vipre team identified the virus as a variant of FakeVimes, or RansomWare. However they stated this was much more aggressive and malicious. Vipre took the necessary samples from the machine, in order to release a proper update.
After dismantling the virus through the registry, we were able to import a safe boot registry hive from another sbs 2003 box.
You should never attempt registry modification, unless you understand the registry, and have experience modifying it.
If you have an AV vendor, contact them regarding a resolution to the problem.
If you have any questions, feel free to contact us.
The virus actually wiped out the Exchange Database as well. Just did a permanent delete on it. Awesome! Luckily this client was only using a shared calendar through Exhange and nothing else. We had a backup to tape, as well as the ability to export the Outlook mailbox/calendar to a pst, to recover it. Others may not be so lucky. I have read reports where the virus is deleting backups which are stored to NAS/Hard Drives, instead of tape.
It also appears as though the attacker is posting bogus decryption keys in support forums, to help prolong the damage. The instructions are to put the bogus keys into the "decryptor" program (supplied by the virus). Reports are the encrypted files are deleted, instead of decrypted. The decryptor may also be reinstalling the virus.
Stay classy *******.