This just happend to my server. Unfortunately I do not have a good backup or recovery disk. Is there a way to fix this without a good backup? Any help would be greatly appreciated.
Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
New ransomware called Anti-Child Porn Spam Protection or ACCDFISA
Started by
Grinler
, Apr 08 2012 06:42 PM
259 replies to this topic
Back to top- BC Ads
- BleepingComputer.com
#62
mrficks
-
- Members
-
- 3 posts
New Member
Posted 11 June 2012 - 01:47 PM
I have just picked up a 2003 SBS server from a client that has this same problem. I have it booted up from a WIN 2003 SBS installation CD to a Recovery prompt and can get to my OS and Data drives. They are indeed hosed up and encrypted. I have removed the files I could find that were listed in the documents that explain the nature of the attack....
c:\Documents and Settings\All Users\Desktop\fvd31234.bat
c:\Documents and Settings\All Users\Desktop\fvd31234.txt
c:\dvsdlk\svchost.exe
c:\ProgramData\rbnedwdels\svchost.exe
c:\ProgramData\sgcvsap\svchost.exe
c:\ProgramData\tcvedwdcv\ghzsrwhbfg.dlls
c:\ProgramData\tcvedwdcv\udsjaqsksw.dlls
c:\ProgramData\thcgds\dkpslqhnsoa.dll
c:\ultimatedecrypter\dc.exe
c:\WINDOWS\system32\cfwin32.dll
c:\WINDOWS\system32\csrss32.dll
c:\WINDOWS\system32\csrss64.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe
but there are several that are not there. I checked for hidden attributes, etc.
Before i try to boot this thing back up, I was wondering what other housekeeping may need to be done.
I renamed the files for the nosafemode. Does that mean safe mode will be available now, or is there more I need to do?
c:\Documents and Settings\All Users\Desktop\fvd31234.bat
c:\Documents and Settings\All Users\Desktop\fvd31234.txt
c:\dvsdlk\svchost.exe
c:\ProgramData\rbnedwdels\svchost.exe
c:\ProgramData\sgcvsap\svchost.exe
c:\ProgramData\tcvedwdcv\ghzsrwhbfg.dlls
c:\ProgramData\tcvedwdcv\udsjaqsksw.dlls
c:\ProgramData\thcgds\dkpslqhnsoa.dll
c:\ultimatedecrypter\dc.exe
c:\WINDOWS\system32\cfwin32.dll
c:\WINDOWS\system32\csrss32.dll
c:\WINDOWS\system32\csrss64.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe
but there are several that are not there. I checked for hidden attributes, etc.
Before i try to boot this thing back up, I was wondering what other housekeeping may need to be done.
I renamed the files for the nosafemode. Does that mean safe mode will be available now, or is there more I need to do?
#63
Grinler
-
- Admin
-
- 38,392 posts
Bleep Bleep!
- Gender:Male
- Location:USA
Posted 11 June 2012 - 02:12 PM
This file may have contained one of the encrypted files passwordS: c:\Documents and Settings\All Users\Desktop\fvd31234.txt
Lawrence Abrams
Circle BleepingComputer on Google+!
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!
Simple and easy ways to keep your computer safe and secure on the Internet <- Everyone must read this!
#64
mrficks
-
- Members
-
- 3 posts
New Member
Posted 11 June 2012 - 02:23 PM
those are files that I couldn't find on my drives. This system got infected last night @ 10.22 pm according to timestamps on files. I looked through your document #1 on this as well as the one dated april 12 update. there is a lot of files I'm not finding. The IP address on server was changed. I still can't get to my desktop when booting back in normal mode.
#65
Grinler
-
- Admin
-
- 38,392 posts
Bleep Bleep!
- Gender:Male
- Location:USA
Posted 11 June 2012 - 03:26 PM
You will need to use some sort of recovery environment to kill the Run entry starting the locker.
Lawrence Abrams
Circle BleepingComputer on Google+!
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!
Simple and easy ways to keep your computer safe and secure on the Internet <- Everyone must read this!
#66
JamesChristopher
-
- Members
-
- 2 posts
New Member
Posted 11 June 2012 - 04:31 PM
I was able to kill the process with winternals.
I got in and removed the files listed. This still leaves the data encrypted correct? No way to decrypt this as of yet?
The files I found were
c:\emogctuj\svchost
c:\ProgramData\rbnedwdels\svchost.exe
c:\ProgramData\sgcvsap\svchost.exe
c:\ProgramData\tcvedwdcv\ghzsrwhbfg.dlls
c:\ProgramData\tcvedwdcv\udsjaqsksw.dlls
c:\ProgramData\thcgds\dkpslqhnsoa.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe
I got in and removed the files listed. This still leaves the data encrypted correct? No way to decrypt this as of yet?
The files I found were
c:\emogctuj\svchost
c:\ProgramData\rbnedwdels\svchost.exe
c:\ProgramData\sgcvsap\svchost.exe
c:\ProgramData\tcvedwdcv\ghzsrwhbfg.dlls
c:\ProgramData\tcvedwdcv\udsjaqsksw.dlls
c:\ProgramData\thcgds\dkpslqhnsoa.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe
Edited by JamesChristopher, 11 June 2012 - 04:35 PM.
#67
mrficks
-
- Members
-
- 3 posts
New Member
Posted 11 June 2012 - 08:03 PM
Well, since I did have a good data backup, I threw in the towel. It wasn't worth trying to save the server. I can re-install 2003 sbs quicker than I can troubleshoot and provide CPR. After an untold number of reboots and trying to find the malicious files, time was worth more than valor. It did wipe out my exchange server, but it's a small office and the user's had local .pst files. I'm probably better off in the long run knowing that they have a solid system that won't have bugs crawling around in it. I would like to have the opportunity to meet the numbskull that caused this out on the street somewhere and give him some payback. But life goes on.
I will however, be turning off any remote desktop connections to any servers that may still have it enabled....and passwords and security will be tightened up.
It just really sucks that someone who could probably make a decent living as a programmer would rather waste their time making other people's lives miserable. But you know what they say....."What comes around goes around" and I truly believe this loser will reap what he sows. It's just a matter of time...
I will however, be turning off any remote desktop connections to any servers that may still have it enabled....and passwords and security will be tightened up.
It just really sucks that someone who could probably make a decent living as a programmer would rather waste their time making other people's lives miserable. But you know what they say....."What comes around goes around" and I truly believe this loser will reap what he sows. It's just a matter of time...
#68
The_Outkast
-
- Members
-
- 161 posts
Forum Regular
- Gender:Male
- Location:Ft. Wayne, IN
Posted 12 June 2012 - 09:25 PM
If I understand correctly, you don't need to disable remote desktop to your servers. Just make sure that the access is not on the standard port (3389).
#69
msimindlessmsi
-
- Members
-
- 3 posts
New Member
Posted 13 June 2012 - 11:53 AM
Can you please take a look at my post here.
I uploaded what I could find on the affected machine.
My server at work was recently attacked by the ACCDFISA infection. I believe it is the latest version, as the files are renamed to .exe
I know some people on this forum have been able to previously generate the password to unlock the files, so I am desperately looking for some help. All of our QuickBooks accounting files are now locked, and backups were deleted.
I was able to disable the screen locker and included it in the attached rar file. It contains the contents of hcapphdw, jaqmcrxo, and ProgramData folders. I included one of the locked files as well.
Many of the DLL files contain a string of chars. Maybe they can help in decrypting.
My C: serial number is 8CB9-BD44
D: 2415-4130
Please see the attached file if you can offer any assistance.
WARNING!! This file includes the svchost.exe that executes the screen locker. I can confirm it gets detected as Trojan:Win32/Ransom.HU by Microsoft Security Essentials.
Only download this file is you know what you are doing. If I need to upload to a different site please let me know.
I uploaded what I could find on the affected machine.
My server at work was recently attacked by the ACCDFISA infection. I believe it is the latest version, as the files are renamed to .exe
I know some people on this forum have been able to previously generate the password to unlock the files, so I am desperately looking for some help. All of our QuickBooks accounting files are now locked, and backups were deleted.
I was able to disable the screen locker and included it in the attached rar file. It contains the contents of hcapphdw, jaqmcrxo, and ProgramData folders. I included one of the locked files as well.
Many of the DLL files contain a string of chars. Maybe they can help in decrypting.
My C: serial number is 8CB9-BD44
D: 2415-4130
Please see the attached file if you can offer any assistance.
WARNING!! This file includes the svchost.exe that executes the screen locker. I can confirm it gets detected as Trojan:Win32/Ransom.HU by Microsoft Security Essentials.
Only download this file is you know what you are doing. If I need to upload to a different site please let me know.
Edited by Grinler, 13 June 2012 - 12:02 PM.
Removed malware link
#70
WangXiuying
-
- Members
-
- 4 posts
New Member
Posted 13 June 2012 - 01:40 PM
http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/
Password generation changed again as well. Similar to variant 3 two different passwords are used to encrypt
the files on the system. To generate the first password the crypto malware will generate a 50 character long
random string. The string is then saved to fvd31234.txt as well as udsjaqsksw.dlls. The random string is
than prefixed with a static string to create the first password. As usual the fvd31234.txt file is copied by
the attacker to his system and then securely deleted using the fvd31234.bat script. On the next boot the
service will securely delete udsjaqsksw.dlls as well if still present and fall back to a second password
generation algorithm. The second algorithm will calculate the second password based on the boot drives
volume id, similar to variant 2. While it is possible to generate the second password with ease, it is
almost impossible to recover the first password due to the random nature and secure deletion.
So i think there is no way to unlock the files.
Password generation changed again as well. Similar to variant 3 two different passwords are used to encrypt
the files on the system. To generate the first password the crypto malware will generate a 50 character long
random string. The string is then saved to fvd31234.txt as well as udsjaqsksw.dlls. The random string is
than prefixed with a static string to create the first password. As usual the fvd31234.txt file is copied by
the attacker to his system and then securely deleted using the fvd31234.bat script. On the next boot the
service will securely delete udsjaqsksw.dlls as well if still present and fall back to a second password
generation algorithm. The second algorithm will calculate the second password based on the boot drives
volume id, similar to variant 2. While it is possible to generate the second password with ease, it is
almost impossible to recover the first password due to the random nature and secure deletion.
So i think there is no way to unlock the files.
#71
rotor123
-
- Moderator
-
- 5,238 posts
Forum Addict
- Gender:Male
- Location:New Jersey
Posted 14 June 2012 - 01:01 PM
I Wonder if this has any relation to this subject and how it is happening.
http://nakedsecurity.sophos.com/2012/06/13/patch-tuesday-june-2012-critical-updates-for-ie-rdp-net-flash-and-java/
http://nakedsecurity.sophos.com/2012/06/13/patch-tuesday-june-2012-critical-updates-for-ie-rdp-net-flash-and-java/
The critical ones really are critical this time around. The first, MS12-036, reminds me of MS12-020 back in March which we feared would turn into an RDP worm. Fortunately it only resulted in denial of service, but MS12-036 may be the one we feared the last go around.
Microsoft have assigned this vulnerability an exploitability index of one, suggesting that it is possible to use it to get remote code execution reliably. Hopefully all of you have blocked internet access to RDP enabled servers in response to MS12-020.
My next Upgrade, USB 3 on my remaining desktop. The only External storage devices I currently Buy are USB3 devices
How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
My first Computer had a Whopping 16K of memory @ 0.89MHz. My first hard drive held 20 Megabytes and never filled up.
My Oldest Motherboard and Hard Drive are a 80286 @ 8Mhz and a Seagate 20 Megabyte MFM drive.
#72
The_Outkast
-
- Members
-
- 161 posts
Forum Regular
- Gender:Male
- Location:Ft. Wayne, IN
#73
soserver
-
- Members
-
- 2 posts
New Member
Posted 15 June 2012 - 03:50 PM
I just tried to email the author so I can pay his ransom but I got an account closed kick back email :*(
Any leads on how I can get in touch with him to pay him?!
Any leads on how I can get in touch with him to pay him?!
#74
Grinler
-
- Admin
-
- 38,392 posts
Bleep Bleep!
- Gender:Male
- Location:USA
Posted 15 June 2012 - 04:52 PM
Unfortunately we have no way of giving you info on how to contact the author.
I would also like to say that we know the author is telling people he will give them a discount if they give good feedback here in this thread and elsewhere after paying the ransom. Anyone posting positive feedback for the author is really doing themselves and others a disservice and only encouraging this criminal.
Therefore, if you wish to let others know that you paid the ransom thats fine, but leave it at that. Any posts that look like you are providing positive feedback, though, will be deleted automatically.
I would also like to say that we know the author is telling people he will give them a discount if they give good feedback here in this thread and elsewhere after paying the ransom. Anyone posting positive feedback for the author is really doing themselves and others a disservice and only encouraging this criminal.
Therefore, if you wish to let others know that you paid the ransom thats fine, but leave it at that. Any posts that look like you are providing positive feedback, though, will be deleted automatically.
Lawrence Abrams
Circle BleepingComputer on Google+!
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!
Simple and easy ways to keep your computer safe and secure on the Internet <- Everyone must read this!
#75
couritech
-
- Members
-
- 3 posts
New Member
Posted 15 June 2012 - 10:31 PM
Unfortunately we have no way of giving you info on how to contact the author.
I would also like to say that we know the author is telling people he will give them a discount if they give good feedback here in this thread and elsewhere after paying the ransom. Anyone posting positive feedback for the author is really doing themselves and others a disservice and only encouraging this criminal.
Therefore, if you wish to let others know that you paid the ransom thats fine, but leave it at that. Any posts that look like you are providing positive feedback, though, will be deleted automatically.
The author is using a lot of free and simple tools strung together, for this anyone could be the criminal it takes no mastermind or strech of imaginatives to add 2 and 2 together? While he's ok at hacking for some low level script kiddie - he's nothing like the writers of the stuxnet, his wavering on ransom - and he forgets the one things that any people will do to go to any extreme to get him even after he is paid them. His back will always be looking over for him, it will never be a simple walk into the next village and his head holds a stickerprice just as any other common criminal who attacks others without "real Cause". I've seen nothing impressive, its parlor tricks, script kiddie tools and only a mindless maggot who thinks he is better than FBI at getting what he's wanting for, and his time is coming to an end soon so he should enjoy what little bit of life he has left and what little money has been given him, it is the last gift he shall be receiving.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
