Automated clean up after malware infection

We recently had an encounter with malware eventually identified as TrojanDownloader:Win32/Skidlo.AC. Unfortunately, the anti-malware didn’t identify it until the next day (and then not until I’d submitted a sample of one of the payloads). It went through several server directories, and in each it changed the subdirectories to hidden SIDs and then put in shortcut files which pointed to the payload (with a reference to the renamed folder).  This was enough for me to write a PowerShell script which was able to undo the damage (I manually nuked the hidden “$RECYCLE.BIN.randomnumber” folder that contained the payload).  We use Varonis DatAdvantage, so I was easily able to see which folders were affected and determine that the extent of the damage.  Luckily, no actual file contents were affected – it only affected the folders.

The code iterates through all of the files with a .lnk extension in a specified folder, and if the shortcut ‘s arguments include the text ‘$RECYCLE.BIN’, then it processes the shortcut.  It renames and unhides the folder for each, and then deletes the shortcut.

Leave a Reply

Your email address will not be published. Required fields are marked *