Beruflich Dokumente
Kultur Dokumente
PROTECTION ON
TERMINAL SERVERS
Dangerous new virus
This is a follow up document to the prior document warning about CryptoLocker. This virus also impacts
Terminal Server environments and thus the group policy helping to block the spread needs to be set up
slightly differently.
Mere antivirus may not detect these. You may need to use a third party tool such as Microsoft Safety
Scanner to stop it from running. Many times they are located in the user profile AppData folder
It will typically target Office documents as noted on the Excel blog:
"Excel cannot open the file [filename] because the file format or file extension is not valid." opening Office
files - The Microsoft Excel Support Team Blog - Site Home - TechNet Blogs:
http://blogs.technet.com/b/the_microsoft_excel_support_team_blog/archive/2013/09/07/quot-cannotopen-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
There is currently an ongoing situation where users may encounter an error when trying to open Office
documents. The error can happen opening any Office file type, not just Excel files. For Excel file types,
the error says: "Excel cannot open the file [filename] because the file format or file extension is not valid.
Verify that the file has not been corrupted and that the file extension matches the format of the file."
For Microsoft Word, the error may read differently: "The file cannot be opened because there are problems
with the contents" or "The file [FileName] cannot be opened because there is a problem with the contents".
We have confirmed that this can also affect PowerPoint files, AutoCAD files and JPEG images.
This problem has been confirmed to be caused by malware on the affected machine. There are now two
known variants of malware which causes this problem: Win32/Crilock.A and Win32/Buma!rts. They have
both been identified as a new family of ransomware.
In order to clean your machine, run Microsoft Safety Scanner
(http://www.microsoft.com/security/scanner/en-us/default.aspx). If infected, Safety Scanner should clean
the virus from the system, however it will not repair corrupted files. You will still need to restore those from
a backup. A detailed analysis of affected files submitted to Microsoft for investigation has revealed the files
are encrypted with a private and public key. The files cannot be recovered without the private key, which is
more than likely held by the attacker. The premise of ransomware is such that if a person pays the ransom
the key is provided to "unlock" the files.
Other resources:
Microsoft Word Support Blog: http://blogs.technet.com/b/wordonenotesupport/archive/2013/09/09/quotcannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
Microsoft PowerPoint Support Blog: http://blogs.technet.com/b/bgp/archive/2013/09/09/3595491.aspx
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
2
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
3
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
4
Now go to your Server OU structure, right mouse click and choose Create a GPO in this domain and link it
here
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
5
Click OK
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
6
Now go back to the policy, right mouse click and click on edit
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
7
Now find the Additional rule and right mouse click and click on new path rule
For Server 2008/2008R2 and MultiPoint remote desktop servers set the following rules:
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
And
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
8
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
Click okay
Add additional rules as follows:
Block executables run from archive attachments opened with WinRAR:
Path: %Temp%\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
Block executables run from archive attachments opened with 7zip:
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
9
Path: %Temp%\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.
Block executables run from archive attachments opened with WinZip:
Path: %Temp%\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.
Block executables run from archive attachments opened using Windows built-in Zip support:
Path: %Temp%\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip
support.
Now close the editing window and to back to the policy and change the WMI filter to only apply to
Terminal Servers
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
10
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
11
When you are complete, the policy should apply to the server category, to authenticated users and
then only to Terminal servers.
You may optionally wish to block %localappdata% as an additional location and make it just applicable to the
Windows 7 machines.
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
And
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
Block executables run from archive attachments opened with WinRAR:
Path: %Temp%\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
Block executables run from archive attachments opened with 7zip:
Path: %Temp%\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.
Block executables run from archive attachments opened with WinZip:
Path: %Temp%\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.
Block executables run from archive attachments opened using Windows built-in Zip support:
Path: %Temp%\*.zip\*.exe
Security Level: Disallowed
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
13
Description: Block executables run from archive attachments opened using Windows built-in Zip
support.
This document was created for the SMBKitchen Project as part of our effort to help small business IT prepare
for the future. If you are not a subscriber please visit http://www.thirdtier.net and consider joining us.
14