Gameover Zeus – What Is It and What Can You Do About It?

What is all the fuss about?

Recently, the FBI together with authorities in several other countries, took down some key computer systems that were used to control infected computers around the globe and the infections were designed to steal usernames and passwords on the infected computers.

Those key computer systems are no doubt in the process of being rapidly replaced somewhere else in the world and as soon as they are up and running again they will resume communications with the infected computers and unleash an attack on as many computers that they can infect with the aim of stealing yet more usernames and passwords so that these can be used to steal your money!

What could happen to me and my computer?

Not much if you have an Apple Mac computer!  This nasty will only affect Windows-Based computers (because the largest proportion of the computers in the world are running Windows).  So us Apple Mac users can sit back with a smug grin on our faces 😀

What will the virus do?

If you are already infected or become infected in the future, initially the virus will (apparently) sit quietly and wait for you to login to your bank account online and then steal the login credentials (username and password) you use to access your account, which once it knows all the details, can then be used to empty your bank account into the criminals bank accounts.

If this first attempt to steal money from you fails (maybe you don’t use online banking, you don’t have a bank account or you don’t have much money in your bank account), or isn’t rewarding enough for the criminals behind this (who knows what constitutes enough money), then the second phase of the virus attack will kick in (CryptoLocker virus).

This second phase will encrypt the interesting user data on your computer (spreadsheets, documents, databases, pictures, email files etc) and then throw up a Ransom Demand screen asking you to pay around $300 in order to obtain the key to decrypt your data.

If you don’t pay the ransom demand within the time indicated on the Ransom Demand screen (showing an ever reducing count-down clock), then the key that can be used to decrypt your data will be deleted and you won’t be able to recover your data unless you have a backup of your files somewhere (if you use services such as DropBox or SugarSync or any other service that syncs your files into the Cloud, then this DOESN’T constitute a proper backup).

Could I already be infected and not know it?

Yes – in the UK it is estimated that around 15,000 computers will already be infected, worldwide, this is thought to be in the millions.

The infected computers will no doubt try to harvest email address from the local Windows address book / Outlook contacts and then send out an infected email to those locally harvested addresses.  Those recipients, unless they have their wits about them, may think the email is a genuine email because it comes from someone they know and of course open it, open the attachment and then they will be infected and then the process starts again.

If you are already infected, then your Internet Service Provider (ISP) may contact you (if the rumours are true) and tell you that you are infected.  IF YOU HEAR FROM YOUR ISP – DO NOT IGNORE THE WARNING!

What can I do about it?

McAfee have kindly produced a tool to scan for and remove the infection from an already infected computer and this can be downloaded here.  There is no harm in downloading the tool right now and checking your machine even if your ISP doesn’t contact you, so why not err on the side of caution and check your computer anyway?  This should make sure you aren’t currently infected.

Once you know you are clean, the best advice is to buy an external hard disk drive or a large capacity memory stick and backup ALL your critical personal data to the disk / memory stick and then unplug the disk / memory stick and keep it somewhere very safe.

If the disk / memory stick is kept connected to your computer, then the data on that will also become encrypted if you subsequently become infected, so keep your backed up data completely isolated from your computer and you should be fine.

Worst case, if you do get infected after you have taken your backup, then the virus can be stopped and you can recover your data from your external disk.

If you don’t backup your data and you do become infected, then there is still a small chance of recovering your files if you have a feature called Shadow Copies enabled on your computer (see the link to the left to find out how to enable them).

If you aren’t already infected, well done.  You should still backup your files and remain ever vigilant when opening new emails, even from people you already know that contain attachments or links to sites.

What’s in it for the criminals?

Well – the Cryptolocker virus that reared it’s head around October last year has supposedly netted the criminals around £60m from their ransom demands and even some Police forces have had to pay the ransom to get their data back, so clearly it’s well worth their while writing the virus and setting it loose into the world and no one is immune from attack.

If 1% of the supposed million + computers that are infected pay the ransom demand, then that’s about $3m in the bank.  Add to that the amount from bank accounts that get emptied, which presumably will have more than $300 in them, then if 5% of an infected 1 million computers who have $500 in their account get emptied, then we are talking about $125m in income alone.

You have been warned!

Problem creating new Outlook 2007 Rule on an Exchange 2003 Server

We had a customer who was trying to create a new Outlook Rule using Outlook 2007 connected to their Exchange 2003 server and they kept receiving the message:

“One or more rules cannot be uploaded to Microsoft Exchange and have been deactivated. This could be because some of the parameters are not supported, or there is insufficient space to store all of your rules.”

All manner of attempts to try and fix the problem were in vain. Other users were happily able to create new rules, recreating the specific users Outlook Profile made no difference, using 3rd party software (Outlook Spy) revealed nothing of interest and starting Outlook with additional switches (/cleanclientrules /cleanrules /cleanserverrules) also made no difference.

Looking around on the server for an unrelated issue, I saw many ESE errors (Event ID 467 – Database Corruption) in the Application Event Logs and this led me to dismount the mailstore and repair, defragment and integrity check it (eseutil /p, eseutil /d and isinteg -s servername -fix -test alltests).

Once the eseutil checks were completed, I ran the isinteg command and after the first pass, about 47 errors were noted in the last line of the output. Running isinteg again (to make sure all errors had gone) showed 0 Errors and 0 fixes – whcih is the desired result, so I mounted the store again and contacted our customer.

Our customer then tried to create a new rule and was able to without any problems!

So, if you have scoured the web for solutions to similar problems and you still cannot create a new Outlook rule, check your server Application Event Logs and if required, repair, defragment and integrity check your mailstore as it will most probably fix the problem.