On 3/26/02 we had two network servers attacked by someone or something. Both servers were NT 4.0. On both machines the .evt files were first copied and saved. After setting these files aside the person or code deleted all files on three critical network shares (none of these shares were a C:\ drive). The files were deleted recursively. No folders were deleted. The recycle bin was emptied. The saved .evt files were copied back over to their original location to hide all trace of what was done. All work was done between about 12:15 p.m. and 1:00 p.m. Literally thousands of files were deleted. One of the network servers has a public IP address and the other has a private IP address. IP forwarding is not enabled between them. However, we do have several staff whose workstations are mapped to network drives on each machine. Both servers have multiple shares but only three shares on the two machines were attacked. After we restored mission-critical files and reestablished normal operations we began looking for clues. From our investigation it looks like we were hit either by a virus of some sort or by a very skilled intruder. If an intruder was involved he/she was very skilled and fast with a keyboard. It is clear that hundreds of files were deleted per minute. If this was malicious code, what virus/worm/trojan is known to both copy and restore .evt files and delete ALL files on a share recursively?
