This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

1

CRYPTOLOCKER PROTECTION ON

TERMINAL SERVERS

Dangerous new virus

This is a follow up document to the prior document warning about CryptoLocker. This virus also impacts

Terminal Server environments and thus the group policy helping to block the spread needs to be set up

slightly differently.

Figure 1 - Encryption warning on screen

Actions to take on Terminal Servers

Even on a Terminal server your clients are at risk from CryptoLocker or other encryption malware that attacks

the user profile

This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

2

Mere antivirus may not detect these. You may need to use a third party tool such as Microsoft Safety

Scanner to stop it from running. Many times they are located in the user profile AppData folder

It will typically target Office documents as noted on the Excel blog:

"Excel cannot open the file [filename] because the file format or file extension is not valid." opening Office

files - The Microsoft Excel Support Team Blog - Site Home - TechNet Blogs:

http://blogs.technet.com/b/the_microsoft_excel_support_team_blog/archive/2013/09/07/quot-cannot-

open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx

There is currently an ongoing situation where users may encounter an error when trying to open Office documents. The error can happen opening any Office file type, not just Excel files. For Excel file types, the error says: "Excel cannot open the file [filename] because the file format or file extension is not valid. Verify that the file has not been corrupted and that the file extension matches the format of the file."

For Microsoft Word, the error may read differently: "The file cannot be opened because there are problems with the contents" or "The file [FileName] cannot be opened because there is a problem with the contents".

We have confirmed that this can also affect PowerPoint files, AutoCAD files and JPEG images.

This problem has been confirmed to be caused by malware on the affected machine. There are now two known variants of malware which causes this problem: Win32/Crilock.A and Win32/Buma!rts. They have both been identified as a new family of ransomware.

In order to clean your machine, run Microsoft Safety Scanner (http://www.microsoft.com/security/scanner/en-us/default.aspx). If infected, Safety Scanner should clean the virus from the system, however it will not repair corrupted files. You will still need to restore those from a backup. A detailed analysis of affected files submitted to Microsoft for investigation has revealed the files are encrypted with a private and public key. The files cannot be recovered without the private key, which is more than likely held by the attacker. The premise of ransomware is such that if a person pays the ransom the key is provided to "unlock" the files.

Other resources:

Microsoft Word Support Blog: http://blogs.technet.com/b/wordonenotesupport/archive/2013/09/09/quot-cannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx

Microsoft PowerPoint Support Blog: http://blogs.technet.com/b/bgp/archive/2013/09/09/3595491.aspx

This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

3

Proactive steps to take

You can use Software Restriction Policies to block executables from running when they are located in the

%AppData% folder, or any other folder.

File paths of the infection are:

C:\Users\User\AppData\Roaming\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe (Vista/7/8)

C:\Documents and Settings\User\Application Data\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe

First we need to build a WMI filter to only apply to Terminal Servers

You could put your Remote Desktop Servers in a specific Organisational Unit and link your Group Policies

there or you could create a WMI Filter to filter by name i.e.

SELECT * FROM Win32_ComputerSystem WHERE ((Name = 'RDSERVER01') OR (Name = 'RDSERVER02'))

Alternatively we can call the WMI Filter against the root\CIMV2\TerminalServices Namespace:

Select * From Win32_TerminalServiceSetting Where TerminalServerMode=1

Go down to the WMI filter section and add a new WMI filter

Figure 2 - Set up new WMI filter

Describe the filter

This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

4

Click on Add to add the new filter

In the namespace section add

root\CIMV2\TerminalServices

In the query section add:

Select * From Win32_TerminalServiceSetting Where TerminalServerMode=1

This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

5

Figure 3 set up WMI query

It should look as above.

Click okay and then save.

Figure 4 Set up WMI

Now go to your Server OU structure, right mouse click and choose Create a GPO in this domain and link it

here

This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

6

Figure 5 - Create the policy

Name the policy

Figure 6 Name the policy

Click OK

This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

7

Now go back to the policy, right mouse click and click on edit

Figure 7 Edit the new policy

Drill down to the Software Restriction policy section

Figure 8 Add SRP

This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

8

It will be under Computer Configuration>Policies>Windows Settings>Security Settings>Software Restriction

policies.

Right mouse click and click on New Software Restriction Polices

Figure 9 Add new policy

Now find the Additional rule and right mouse click and click on new path rule

Figure 10 Add new rule

For Server 2008/2008R2 and MultiPoint remote desktop servers set the following rules:

Path: %AppData%\*.exe

Security Level: Disallowed

Description: Don't allow executables from AppData

And

This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

9

Path: %AppData%\*\*.exe

Security Level: Disallowed

Description: Don't allow executables from AppData

Figure 11 Add new rule

Click okay

Add additional rules as follows:

Block executables run from archive attachments opened with WinRAR:

Path: %Temp%\Rar*\*.exe

Security Level: Disallowed

Description: Block executables run from archive attachments opened with WinRAR.

Block executables run from archive attachments opened with 7zip:

This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

10

Path: %Temp%\7z*\*.exe

Security Level: Disallowed

Description: Block executables run from archive attachments opened with 7zip.

Block executables run from archive attachments opened with WinZip:

Path: %Temp%\wz*\*.exe

Security Level: Disallowed

Description: Block executables run from archive attachments opened with WinZip.

Block executables run from archive attachments opened using Windows built-in Zip support:

Path: %Temp%\*.zip\*.exe

Security Level: Disallowed

Description: Block executables run from archive attachments opened using Windows built-in Zip

support.

When complete it should look like this:

Figure 12 Final policy

Now close the editing window and to back to the policy and change the WMI filter to only apply to

Terminal Servers

This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

11

Figure 13 Add WMI filter

This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

12

When you are complete, the policy should apply to the server category, to authenticated users and

then only to Terminal servers.

Figure 14 Final policy

Additional path locations

You can additional path locations such as appdata local, and locallow in Windows 2008 Remote Desktop

Services and higher to protect those as well, but be aware that there may be impact to line of business apps

in these locations. For example remote access tools such as Copilot.com will be blocked in the local file

location is blocked.

This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

13

You may optionally wish to block %localappdata% as an additional location and make it just applicable to the

Windows 7 machines.

Server 2003 locations

For Server 2003 the policy is as follows:

Path: %AppData%\*.exe

Security Level: Disallowed

Description: Don't allow executables from AppData

And

Path: %AppData%\*\*.exe

Security Level: Disallowed

Description: Don't allow executables from AppData

Block executables run from archive attachments opened with WinRAR:

Path: %Temp%\Rar*\*.exe

Security Level: Disallowed

Description: Block executables run from archive attachments opened with WinRAR.

Block executables run from archive attachments opened with 7zip:

Path: %Temp%\7z*\*.exe

Security Level: Disallowed

Description: Block executables run from archive attachments opened with 7zip.

Block executables run from archive attachments opened with WinZip:

Path: %Temp%\wz*\*.exe

Security Level: Disallowed

Description: Block executables run from archive attachments opened with WinZip.

Block executables run from archive attachments opened using Windows built-in Zip support:

Path: %Temp%\*.zip\*.exe

Security Level: Disallowed

This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare

for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.

14

Description: Block executables run from archive attachments opened using Windows built-in Zip

support.

Post disaster review

Review the damage to the system, restore files from shadow copies or backups as needed and review

security settings in the office.

Please note, you may need to remove the drive to an enclosure to scan and edit while the system is not

mounted.

But you need to ask yourself if you are truly assured that you have cleaned the system. Without totally

rebuilding or rolling back to an image from known good sources, you will always question the health and

security of this system.

Talk to your client. Go with your gut. If you do not feel that it is completely secure, (and it probably isn’t)

rebuild the machine or roll back to a backup where you know it is preinfection.

From “Help: I got Hacked. Now what do I do?” http://technet.microsoft.com/en-us/library/cc512587.aspx

“You can’t clean a compromised system by removing the back doors. You can never guarantee that you found

all the back doors the attacker put in. The fact that you can’t find any more may only mean you don’t know

where to look, or that the system is so compromised that what you are seeing is not actually what is there.”