.

viruses

<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Tue Feb 17, 2009 4:58 am

viruses

I have a customer whos laptop has been hit with some form of virus/script/whatever. The end result is that all the document (.doc, .ppt etc) and music files have been changed to an unreadable state.

The initial symptom is that the files are renamed to xxxx.doc.NCRYPTED.NCRYPTED.NCYRPTED.NCRYPTED.ncrypted

Renaming the file to remove the rubbish on the end makes no difference as the file is still unreadable - appears the file header has been altered perhaps?

There is also a text file left behind with the following:

"Some files on your machine are encrypted and your private informations were collected and sent to us.
To decrypt files so you could use them again, you have to buy our decryptor.
After you buy decryptor, your files will be decrypted, and we will destroy your private informations from our system, and help you remove malicious software from your system.
To buy decryptor, contact us at: thankyoumuchos@gmail.com or meloveyoug@yahoo.com
If you dont contact us, your private informations will be shared and you will loose all your data."

Normally, I would just run a format & reinstall the system but in this case the customer is desperate to keep their data since they have no backup.
So far I have run multiple virus scans with NOD32 which has pulled off some 30+ infections. I have also run spyware scans but of course this has had no effect.
Goggle has so far been unable to help and I'm not very confident of being able to get this resolved.

Any ideas or help would be greatly appreciated! ???
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Feb 17, 2009 9:06 am

Re: viruses

That is not good. I haven't persionally seen ransomware but I have heard of it. Kaspersky cracked the easier keys, but the bad guys began using 1024 RSA for encryption so good luck.

First, take the machine offline imediately and grab an image. If the malware isn't the latest generation it may still contain the original files, but in unallocated space.

Do you have any idea what "infections" the scan removed? Having those details may help you figure out exactly what you have been hit with.
twitter.com/timmedin | http://blog.securitywhole.com
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Tue Feb 17, 2009 9:45 am

Re: viruses

this kind of thing scares the hell out of me...  it's no longer just a matter of wiping the virus off or reinstalling. 

but I've always been calmed down when I think that all that needs to happen is for law enforcement to follow the money.  not sure how this would work internationally though.....
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Feb 18, 2009 3:27 am

Re: viruses

Yup, these are some scary developments. However if  you follow best practice and backup (I know, there's an elephant in the room...) then you can go back to wipe machine, restore backup (old enough not to be hijacked) and restore.

User gets back online with minimal fuss and loss of work, gives you time to work out infection vector and mitigate (image of machine plus VM should help). With a bit of luck enough people dealing with Ransomware this way means the bad guys stop getting cash and give up on this business model.

Additionally I've seen some ransomware knock-offs that have removed the link between .doc files and Word, along with a pop-up stating 'you're money or you files'. Those that know no better have been unable to open files with a double-click and paid up for the 'fix'.

Depending on the value of the data I'd suggest you could:
  • Contact law enforcement to handle the investigation, but I wouldn't hold out much hopes of a result unless you work for a large company.
  • Hire a forensic guy/team to assist (or go solo if you've got the skills, just CYA)
  • Write off the data and reformat
  • Write off the loss and pay up (pride and ethics may get in the way here)
  • String up user to server as a warning...

Likely there's nothing above you haven't thought of, don't think any of the above options are 'good'. Ultimately this needs to be a decision that is best for the business as a whole, not a technical one.

All the best with your problem, hope you get sorted.
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Wed Feb 18, 2009 9:36 am

Re: viruses

As for getting the data back, be sure to keep track of the malware before you clean it off of the machine. If you can find the particular nasty that was responsible for encrypting the data in the first place, then you stand a better chance of being able to undo the problem. If you really need the data back, this is the route that I would take.
<<

Ne0

Jr. Member
Jr. Member

Posts: 62

Joined: Thu Sep 04, 2008 5:28 pm

Post Wed Feb 25, 2009 1:48 am

Re: viruses

RoleReversal

hey before having ur back up plz scan ur backup too as the virus or trojan might have been duplicated in ur actuall file name format... so better to check while taking the backup and retreving back the backup... todays trojan's or worms are really smart :P
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Feb 25, 2009 3:50 am

Re: viruses

Hi Ne0,

re-reading my post there is a fair amount that isn't as understandable as I'd have liked.

Checking backups before the restore was what I had meant by 'old enough not to be hijacked'. Should be common practice but I know several people (myself included) who have been caught by the same issue.

Thanks for catching the issue. I definitely wouldn't want someone taking my advice word for word then complaining when they spent hours of work only to still be infected...

RR
<<

Ne0

Jr. Member
Jr. Member

Posts: 62

Joined: Thu Sep 04, 2008 5:28 pm

Post Wed Feb 25, 2009 5:22 am

Re: viruses

RoleReversal
i really agree with you , most of the time who are supposed to be taking care for others gets caught for them selfs ...
there is a saying, "in a world of Information Security, the only final sin is human stupidity…!"
but its true , even i have caught with the same issues...
we just need to alert always and bit more carefull..:)
<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Thu Feb 26, 2009 1:01 am

Re: viruses

finally there is solution after i submit the sample files to Trend MicroUNISTLVWT16 detected in machine and they relased the pattern files 5.853 for the same. Unfortunately the deleted files cannot be recovered.
The virus is termed as WORM_RANSOM.AQ by trend micro
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Thu Feb 26, 2009 6:08 am

Re: viruses

Hack_80,

thanks for the update, I haven't seen WORM_RANSOM.AQ around so I'll keep my eye out for it. Can't find much about it online, google shows a single site in foreign langauge (not sure which) and this tread. Do you know if this was a targetted attack at you employer or just something nasty that got you by accident?

Best of luck with the clean-up
<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Thu Feb 26, 2009 10:47 pm

Re: viruses

Hi
  Please find the url which will shows some details about the virus

http://www.viruslist.com/en/viruses/enc ... sid=313444
http://en.wikipedia.org/wiki/Ransomware_(malware)
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Feb 27, 2009 7:59 am

Re: viruses

Thanks for the additional info. That's a long list of file extensions that it encrypts :(

Some of the recommendations for recovering original, non-encrypted versions of the files are interesting and not a possibility I had thought of. Just wonder how long it will be until the BadGuystm start scrubbing the original files rather than just deleting them though...
<<

Ne0

Jr. Member
Jr. Member

Posts: 62

Joined: Thu Sep 04, 2008 5:28 pm

Post Fri Feb 27, 2009 11:02 am

Re: viruses

BADGUYS were not always the badgusy, politics and there ppl make them for the cause of money , some do for fun and some do for revenge, and some do for there own business, this list might increase any time and might go to anylength, but who know there might be hidden stuff in the orginal files too, when ever there is positive there will always a negative for that, i just wonder wht the conficker might bring now...
<<

tarterp

Newbie
Newbie

Posts: 7

Joined: Sat Aug 11, 2007 1:58 am

Post Fri Feb 27, 2009 8:07 pm

Re: viruses

What would worry me the most in this situation, is the attacker talked about private information. I Would be worried about that, what do they consider private information. What did your client have on his computer that maybe would be more private than say login credential. Does your client hold any private personal records, that is what I would be worried about. Then unfortunately it is a lot scarier.

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software