PDA

View Full Version : Virus Alert



SolMiester
30-11-2010, 01:58 PM
Not sure if this has been covered, but this is a very nasty Trojan called Cypher, which encrypts the first few bytes of files then changes the ext to encoded. It also drops a text files stating the following........

Attention!!!
All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check for this yourself - just look for files in all folders.
There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after 3 days all encrypted files will be completely deleted and you will have no chance to get it back.
We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words in our side will be a reason for ingoring your message and nothing will be done.
For details you have to send your request on this e-mail (with full serial key shown below in this 'how to..' file on desktop): recoverdata@secure-mail.biz


Please be careful what you download.

Agent_24
30-11-2010, 02:02 PM
Ouch. That sounds like one bastard of a virus.

Speedy Gonzales
30-11-2010, 02:03 PM
Looks like its already doing the rounds. And thats what you get, for using torrents

SolMiester
30-11-2010, 02:05 PM
Our CHCH member firm got hit yesterday, they only recovered because of backups.....They have no idea how it came in!

Gobe1
30-11-2010, 02:12 PM
Sounds like Doctor Evil

Whats RSA 1024? is that 1024 bit???

Speedy Gonzales
30-11-2010, 02:17 PM
Its probably this (http://www.symantec.com/security_response/writeup.jsp?docid=2010-112517-0111-99&tabid=2). aka this (http://www.sophos.com/security/analyses/viruses-and-spyware/trojpdfjsml.html)

It can infect a system, by opening a PDF file (http://nakedsecurity.sophos.com/2010/11/26/drive-by-ransomware-attack-demands-120/)

Agent_24
30-11-2010, 02:20 PM
Looks like its already doing the rounds. And thats what you get, for using torrents

I think infected USB drives, email and drive-by downloads are more likely.

Bittorrent is fine if used sensibly, like downloading Ubuntu.

Of course I have seen some torrents which were specifically viruses, eg: an 8GB RAR file full of them. But anyone downloading that would be prepared (I hope!)

SolMiester
30-11-2010, 02:26 PM
Yeah, that looks like it speedy, doesnt look like many a/v are catching it!

Speedy Gonzales
30-11-2010, 02:30 PM
MSE might (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRansom.U&ThreatID=-2147336381)

linw
30-11-2010, 02:47 PM
MSE might (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRansom.U&ThreatID=-2147336381)

Hope so! Sounds like a nasty one for sure.

Must revise my schedule driven backup strategy to help protect my USB drive from getting hit.

Speedy Gonzales
30-11-2010, 03:07 PM
It looks like there were previous ransomware trojans like this.

And all they did was delete the original file/s before making an encrypted version of them. One program (that didnt fix the prob), but could undelete the original file/s was photorec. ie this (http://support.kaspersky.com/faq/?qid=208279822)

Agent_24
30-11-2010, 03:29 PM
Hmm.. FileScavenger and other file recovery programs should work then, as long as the files aren't overwritten.

B.M.
30-11-2010, 04:01 PM
Bit more here.

http://www.pcworld.com/businesscenter/article/151890/ransomware_viruswriter_identified.html

Catweazle
30-11-2010, 06:04 PM
Eek.. That sounds like true Somalian-style piracy in every aspect. 'We have your goods, now pay to get them back.' :yuck:

I hope the virus author gets hit by a very large rock rolling off a particularly steep mountain.

The Error Guy
30-11-2010, 08:47 PM
Still, can't help but think, nice bit of coding. still, sounds like an evil son of a b**h

Myth
30-11-2010, 10:06 PM
Looks like its already doing the rounds. And thats what you get, for using torrentsWhat a load of uneducated bollocks ("Lets blame torrents")...

So far it has turned up within a PDF:

http://www.esecurityplanet.com/features/article.php/3914811/Ransomware-Scams-Take-Your-Data-Hostage.htm

Speedy Gonzales
30-11-2010, 10:07 PM
Theres a few sites where people got it downloading movies thru torrents

8ftmetalhaed
30-11-2010, 10:25 PM
And of course, NZ probably will get hit hard by that. (since apparently we pirate more movies per capita than anywhere else, or so I think it goes)
Can't say they don't deserve it.

:( half an hour till a week of no inet

Agent_24
30-11-2010, 10:25 PM
People are always getting viruses by using Bittorrent.

The problem is they usually don't know things like a movie is not just 34KB and doesn't end in .EXE

goodiesguy
30-11-2010, 10:29 PM
Theres a few sites where people got it downloading movies thru torrents

Thats still is no excuse to blame torrents. Torrent's, if you are careful can be very safe.

Speedy Gonzales
30-11-2010, 10:35 PM
Well true but most people are too stupid to use them, dont use virus scanners to scan whatever. And end up getting infected. Then wonder why their computers are screwed

Digby
01-12-2010, 01:05 PM
Don't you just love the way they say
"If you say any bad words they will not help us"

Up till now I have always thought virus's and trojans were a bit of a joke and that they never seemed to do much, and when you did get one, one of the trojan removal programs etc always got rid of them.

And people used to say that they could damage your hardware
But encrypting ones hard drive is very nasty.

And its a great little money earner, so I expect to see lots of these.

1101
01-12-2010, 01:24 PM
And people used to say that they could damage your hardware



Ahhh short memories, there was virus that wiped the bios CHIP(more or less), leaving the MB unusable (only certain types of mb's were at risk)
Also another put a hardware level pass on the HD.

Agent_24
01-12-2010, 01:38 PM
Not if you've got an EEPROM programmer :)

Chilling_Silence
01-12-2010, 01:45 PM
Yeah gone are the days of the Casino Virus that would hose your FAT, then make you play slots to see if the virus would restore it.
Encrypting the files could be a slightly more sinister (better?) approach because once the files are encrypted, presumably it'll be removing the older file and overwriting it either with the newly encrypted file, or with the next file that comes along. Thus, recovery is nigh on impossible :D

1101
01-12-2010, 01:46 PM
Not if you've got an EEPROM programmer :)

or just hotswap working bios chip, then reflash :nerd:
or course this was a bit hard when the chips soldered in

Myth
01-12-2010, 02:33 PM
Yeah gone are the days of the Casino Virus that would hose your FAT, then make you play slots to see if the virus would restore it.
Encrypting the files could be a slightly more sinister (better?) approach because once the files are encrypted, presumably it'll be removing the older file and overwriting it either with the newly encrypted file, or with the next file that comes along. Thus, recovery is nigh on impossible :DMaybe if we ask nicely, they will re-initiate the slots thing... hand of poker maybe, winner takes all. You win, they send you the key, you lose - kiss your $120 goodbye

Agent_24
01-12-2010, 03:24 PM
or just hotswap working bios chip, then reflash :nerd:
or course this was a bit hard when the chips soldered in

Hot-Flashing is fun :D

Still need to learn how to use my hot air rework properly.... Unless you mean a DIP32 in plated through-holes. That would be interesting. I believe you need a desoldering gun for that.

Pancake
02-12-2010, 09:30 AM
Kaspersky are working on a fix for this virus.Untill then the only fix is to format.

Digby
02-12-2010, 09:39 AM
I hope all the other av companies are as well !

Chilling_Silence
02-12-2010, 09:47 AM
Surely it'd be worth it for an AV company to say to him "Righto, we'll pay you XYZ amount for the fix" and then include it in their AV software, or to market it as a special removal tool of their own (Paid?), because they're then suddenly the *only* company who can fully 100% treat it, which means that people are more likely to use / buy their product?

It's a tough one, but do you essentially cave to this guys request and give him a buttload of money to get the "key" to restoring all the files?

Snorkbox
02-12-2010, 10:00 AM
Still nothing like a good backup strategy.

mikebartnz
02-12-2010, 12:45 PM
Thats still is no excuse to blame torrents. Torrent's, if you are careful can be very safe.
From what I have seen they deserve all the blame they get.:groan:

Agent_24
02-12-2010, 01:32 PM
You can't have seen very much of them then...

mikebartnz
03-12-2010, 07:09 PM
You can't have seen very much of them then...
I have seen the results on enough PC's that the kids have been using various torrent programs.

Agent_24
03-12-2010, 09:55 PM
Fair enough, the kids probably wouldn't know the difference between "Movie.avi" and "Movie.avi.exe"

Especially when file extensions are hidden by default in Windows!

wainuitech
03-12-2010, 09:58 PM
Still nothing like a good backup strategy.

Second that -- as proven today with a customer :thumbs: :D

Digby
04-12-2010, 10:13 AM
Fair enough, the kids probably wouldn't know the difference between "Movie.avi" and "Movie.avi.exe"

Especially when file extensions are hidden by default in Windows!

That's a good point !

mikebartnz
04-12-2010, 11:34 AM
Especially when file extensions are hidden by default in Windows!
I have never understood why MS decided to do that as it adds no benefit and for security I thought they would have knocked it on the head by now but I see Win7 still does it. It is one thing I immediately change when on a Win PC for the first time.

Agent_24
04-12-2010, 11:41 AM
Probably because some people when renaming files end up losing the extension and then don't know what's happened.

But then, how else are they going to learn?

Ron24
06-12-2010, 02:50 PM
Looks like its already doing the rounds. And thats what you get, for using torrents


Please excuse the ignorance, but what are "torrents"

Speedy Gonzales
06-12-2010, 03:02 PM
Sites where you can get ISO's / whatever. Some are legit most arent. Theyre an easy way to get infected by something, if youre not careful

The Error Guy
06-12-2010, 03:46 PM
Muppet student: Help me, this song won't play
Me: why? did you rip it right? codec? incomplete iTunes d/l?
Muppet: uhhhh... dunno what your on about! (cue smart ass voice) I use torrents!
Me: Ok, lets see it...
(no kidding on extension either) a 200mb awesome_song.mp3.aac.flac.exe was the "non playing song" and in the .nfo (commonly used as a readme file or instructions instead of a system info file as intended) instructions stated: Run the song as admin, disable antivirus. Allow access through firewall.

Obviously Captain Muppet had done all of the above. at that point he started to complain because his computer was slow and said I "sucked at fixing things" I left him to stew in his own ignorant stupidity.

I don't feel sorry for him, the ammount of music people pirate that is cr*p any way is shocking, its a waste of bandwith on the internet, I guess its good, who over made such horrible tunes should be starved of income! I don't care about some guys obsession with "ghetto booty" and how he likes to drone on over 5 mins with some tinny snare about his mothers crack habit.

anyway rant over.

Agent_24
06-12-2010, 05:44 PM
That's hilarious! :lol:

I've seen them with worse filenames than that but never one with instructions on how to infect yourself with it - Classic.