Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"ACCDFISA Protection" variant?


  • Please log in to reply
23 replies to this topic

#1 lupinezero

lupinezero

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colbert, OK
  • Local time:11:20 PM

Posted 12 March 2012 - 04:07 PM

We ran into this one at work. It appears to be a variant of the ACCDFISA Protection ransomware.
I wasn't able to locate anything via Google, and so was unable to "decrypt" the files (password-protected RARs).
The customer ended up paying these scum.
Posted Image

http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

Has anyone seen this variant before (and know the password by chance)?

Update - e-mail address listed on the infection is down and customer unable to access via phone. We're proceeding with infection removal, but are nowhere with the password to return the customer files to their original state.

Edited by lupinezero, 12 March 2012 - 04:34 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,377 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 12 March 2012 - 07:08 PM

Working on it now.

#3 adamstotalit

adamstotalit

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 12 March 2012 - 08:03 PM

New to the forum, but just picked up a customer's server with this exact infection on it an hour ago. Stressed. I noticed that it was not exactly the one that you corrected in the other post. It's the exact one that was posted at the beginning of this thread.

At this point, I can't get into safe mode, I can't get to a dos prompt, and I can't do anything but get to the WARNING screen. It also appears to have changed the admin password.

Please help. They are production down until this is resolved. You guys are awesome.

Edited by adamstotalit, 12 March 2012 - 08:04 PM.


#4 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,377 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 12 March 2012 - 08:18 PM

Can you get into safe mode command prompt?

#5 adamstotalit

adamstotalit

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 12 March 2012 - 08:29 PM

I cannot. On the F8 screen, I cannot arrow up or down to change the startup option to anything but Start Windows Normally. The other options are visible, but I cannot arrow up or down. It is Win2k8 by the way.

#6 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,377 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 12 March 2012 - 10:24 PM

You are going to have to boot up in some sort of recovery mode. Then rename C:\Windows\SysWOW64\svschost.exe to something else. svschost.exe is what is locking your desktop.

#7 adamstotalit

adamstotalit

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 13 March 2012 - 08:29 AM

I will try to boot using this: http://www.ubcd4win.com/, and rename that file. Will that fix safemode? Or that'll fix the regular Windows startup? I'm close to rebuilding the server altogether and pulling database backups from Carbonite (thank God for Carbonite).

I just want to make sure that I understand correctly that there isn't currently an actual "fix" for this particular variant. I checked google early this morning again, and we're still the only one's talking about it, unless I don't know to call it.

#8 lupinezero

lupinezero
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colbert, OK
  • Local time:11:20 PM

Posted 13 March 2012 - 09:42 AM

I was looking around inside one of the files using Notepad+ and TinyHex on the UBCD4Win, and found a couple of codes to try out...
I found one "aes987156".

Unfortunately, it didn't decrypt the system, as I'd already removed most of the infection. Did a Google search with that, and came across these 2 -

http://xylibox.blogspot.com/2012/03/malware-protection.html

http://www.pcrisk.com/removal-guides/6655-remove-malware-protection

So, if you haven't cleaned it up yet, try the unlock codes.
(Depending on the screen showing... check the Xylibox blog.)
76557152140071780302280 or aes987156

Hopefully this may help someone get the password for the RARs too.

Edited by lupinezero, 13 March 2012 - 09:48 AM.


#9 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,377 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 13 March 2012 - 10:27 AM

Yes, aes987156 will start the decrypt program but I am pretty sure it will not decrypt the file. It also needs the rar password appended to the aes987156 code. Then it may actually decrypt everything, but I still think your better off doing it manually. The system unlock code does not work for me when testing either.

#10 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,377 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 13 March 2012 - 10:28 AM

I will try to boot using this: http://www.ubcd4win.com/, and rename that file. Will that fix safemode? Or that'll fix the regular Windows startup? I'm close to rebuilding the server altogether and pulling database backups from Carbonite (thank God for Carbonite).

I just want to make sure that I understand correctly that there isn't currently an actual "fix" for this particular variant. I checked google early this morning again, and we're still the only one's talking about it, unless I don't know to call it.


Sorry for the delay in getting back to you. The svschost.exe is added as a run entry and will start the system lock screen you see. Renaming that should allow you to bypass it.

#11 lupinezero

lupinezero
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Colbert, OK
  • Local time:11:20 PM

Posted 13 March 2012 - 10:50 AM

Yes, aes987156 will start the decrypt program but I am pretty sure it will not decrypt the file. It also needs the rar password appended to the aes987156 code. Then it may actually decrypt everything, but I still think your better off doing it manually. The system unlock code does not work for me when testing either.


Yeah, I'm hoping someone will come up with the password. This is definitely beyond my current capabilities. ^_^

#12 Mattb7

Mattb7

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 13 March 2012 - 11:08 AM

I got the same thing on a win 2k3 server yesterday. I was able to get into safe mode by booting to a Mini XP cd and adding to the boot.ini file. Even once in safe mode I wasnt able to do anything. None of the files people were posting about were in this variant of the virus. I am not able to work on it today, but it looks like there are some people online making progress towards removing it.

#13 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,377 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 13 March 2012 - 12:20 PM

I posted all I know here:

http://www.bleepingcomputer.com/forums/topic446111.html

Still trying to get more help.

#14 Chavous Camp

Chavous Camp

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:20 AM

Posted 13 March 2012 - 12:45 PM

One of my customers was just hit. Thankfully, the machine doesn't have anything interesting on it. I am dispatching a technician now and will be working with him to resolve. Other than the key, is there any additional information he could capture on-site that might help the community combat this?

#15 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,377 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:20 PM

Posted 13 March 2012 - 12:50 PM

Try the procmon trick and see if you can get some command lines from the infected files that are running. Also if you can let me know the imagepath for the service that would be helpful.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users