Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptolocker Hijack program


  • Please log in to reply
3243 replies to this topic

#511 DanaRod

DanaRod

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas, Nv
  • Local time:08:58 AM

Posted 04 October 2013 - 03:27 PM

FYI

 

I am going to try the suggestion

 

 

 

According to user Kenoindallas, he did pretty much what I am suggesting and seemed like it worked...whether or not you think it will work, I am simply looking for a method by which I can recover the old registry file/list. I see where you're coming from but Kenoindallas's account leaves me with some hope.

 

I am running Windows 7.

 

 

You can use ShadowExplorer to pick a previous restore point

Within that restore point, browse to the user's registry hive (C:\Users\[username]\NTUSER.DAT)

Export NTUSER.DAT to a temp location

Open regedit and Load Hive underneath HKEY_USERS > choose your NTUSER.DAT file

Now you can navigate to HKEY_USERS\[Temp_Hive_Name]\Software\CryptoLocker\Files

 

I haven't tested this, but it seems like it should work.  You could probably even export the CryptoLocker key and import it into HKCU and run ListCrilock.exe to produce your list.

 

Maybe someone can confirm this - I don't have anything to test with at this point.

 

So I have a second infected machine quarantined. I am going to export the regkey - Import it and try running the ListCrilock. I should know in the next 20 minutes or so if this works.

 

I'll post my results here shortly.



BC AdBot (Login to Remove)

 


#512 AskTech

AskTech

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 04 October 2013 - 09:27 PM

From what I can cull from all of this is that the malware was installed via an executable diguised as a pdf, as well as the software to retrieve the payment and the decryption key which could be remotely activated by the hackers. 

 

My question is whether or not there was also a security breach - i.e., did the hackers gain access to the data?

 

Thank you for your assistance.



#513 DanaRod

DanaRod

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas, Nv
  • Local time:08:58 AM

Posted 04 October 2013 - 10:05 PM


Ok Sorry for the delay took longer than I thought... 
 
The pc I had quarantined.. I used the kaspersky rescure disk to remove the infection itself. Then I used the reg editor on the rescue disk... ( Gave me access to all of the profiles) I found the reg entry and exported to the jump drive I booted from. Removed the infection etc..
 
Copied the reg key to my computer - It was 9.3 megs!!!! I was confused... Renamed the regkey to a txt file... below is an excerpt of what I found in the reg key:
 
*************************************
"F:?wfx32?WSGRIDDB?10GRIDS.DBF"=dword:0bcdbb41
"F:?wfx32?WSGRIDDB?11GRIDS.DBF"=dword:0bcdbbdd
"F:?wfx32?WSGRIDDB?12GRIDS.DBF"=dword:0bcdbc98
"F:?WFXDB35.DBF"=dword:0bcdbd53
"G:?00 EMAILS & LABELS?00 Email - Payroll Reminder.docx"=dword:0bcdbfc3
"G:?00 EMAILS & LABELS?01 Email - PAYROLL CHARGES.doc"=dword:0bcdc07e
"G:?00 EMAILS & LABELS?3rd Qtr Filing Labels 1 of 2.docx"=dword:0bcdc159
"G:?00 EMAILS & LABELS?3rd Qtr Filing Labels 2 of 2.docx"=dword:0bcdc223
"G:?00 EMAILS & LABELS?Cert. Mail Labels.doc"=dword:0bcdc30d
"G:?00 EMAILS & LABELS?Certified Mail Labels.docx"=dword:0bcdc417
"G:?00 EMAILS & LABELS?Email - PAYROLL REPORTS DOWNLOAD.doc"=dword:0bcdc4f1
"G:?00 EMAILS & LABELS?Email - Quarterly Reports Reminder.docx"=dword:0bcdc5db
***************************************
 
Its a list of the locations and files that were encrypted!! Freakin Christmas....
 
Thought I would share my findings, in case someone is in the same situation I was in...

#514 DanaRod

DanaRod

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas, Nv
  • Local time:08:58 AM

Posted 04 October 2013 - 10:27 PM

Oh yea and system restore saved the user from loosing her local files... And now she knows that she should be saving her import data on her share so that we can back it up. :grinner:  :grinner:



#515 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,259 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:58 AM

Posted 04 October 2013 - 10:42 PM

Btw, if anyone has a recent email with this infection attached, please submit it to http://www.bleepingcomputer.com/submit-malware.php?channel=161

#516 Kilroy99

Kilroy99

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 05 October 2013 - 07:55 AM

When does this virus popup asking you to pay? I am on the infected computer and it boots normally, although i know it's infected with the cryptolocker program.



#517 Kilroy99

Kilroy99

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 05 October 2013 - 08:07 AM

Never mind. as soon as i disconnected the network share it came up.



#518 MMMM2424

MMMM2424

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 05 October 2013 - 11:15 AM

Please forgive me for not reading all the posts in this thread. I use Sandboxie, and i feel this type of program would totally prevent this type of attack.

My days of relying on an AV for protection are long gone.Most of my internet based programs are forced to run sandboxed, and certain privelleges are given to certain programs in different boxes.

Any encryption malware, firstly would almost certainly  fail, and if had  suceeded, would be reversed ,on deletion of the sandbox.I love sandboxie :love4u:



#519 Brian of Nazareth

Brian of Nazareth

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 06 October 2013 - 03:31 PM

THANK YOU!! Based on what I learned by reading the entire thread - I can report: Good guys 1, Bad guys 0.  :nono:

 

Email :  sent to : info@.......com

             from: USPS Express Services [[email protected]]

             Subject: USPS - Missed package delivery

             Attachments USPS_Label_317714708011.zip (13KB)

 

There are syntax errors in the body of the email that should have alerted the person that it was not from the USPS...

 

The Fix: Start in "Safe Mode", disable the RUN key for the virus (I use CCleaner). Reboot, Install & Run ShadowExplorer, copy off relevant documents etc from a recent restore point. Wipe the Hard Drive & Re-Install (Vista Home Premium). Trend Micro Titanium Internet Security Fail

 

And now, on every Windows machine I work on I will edit the Group Policy to disallow executables from running from the App Data folder per instructions from post#493

 

Again, Thank you guys for your contributions.


Edited by Brian of Nazareth, 06 October 2013 - 07:50 PM.


#520 Netghost56

Netghost56

  • Members
  • 854 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:58 AM

Posted 07 October 2013 - 08:23 AM

What OSes allow changes to Group Policy?? I know that you can't in XP Home, unless you have an app like gpedit.



#521 Ian Dubbelboer

Ian Dubbelboer

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 07 October 2013 - 09:08 AM

I submitted the latest attachment I confirmed caused an infection of Cryptolocker



#522 Kilroy99

Kilroy99

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 07 October 2013 - 09:17 AM

Does anyone know an effective way to get the cryptolocker screen to come up? I have the red BMP on the desktop but no program launching. I'm afraid Symantec may have shut it down, but removing the items from Quarantine isn't getting the program to launch.

any sure-fire ways to get that to happen?



#523 Kilroy99

Kilroy99

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:58 AM

Posted 07 October 2013 - 10:31 AM

So. on Saturday the virus was actively encypting files when I got to the PC. I disconnected the share which immediately kicked on the message about payment. I went to Walgreens, got the card, and paid. It told me to wait for manual verification, blah blah blah. I left join.me running on the machine so i could monitor it's progress remotely. couple hours later files start decrypting. Then, due I think in part to a component of Symantec that I had stopped but not disabled kicking in, Funny it wasn't able to prevent this but it is trying to prevent me from fixing it. Due to the security of the building I could not get back in until this morning. The REG keys are still there with the list of files but I can't get the virus to kick back on. I'm even willing to PAY AGAIN if I have to (and I'm thinking I will). but the damn thing won't re-infect. Every time I try to save a file that's infected with the virus on the computer it disappears. (I've completely disabled Symantec this tims and renamed the file folders in case something tries to start up again!) Am I doing it wrong, do I just need to wait, or does cryptolocker think I'm done with it and made my PC immune to it's own virus???
 
This is my last shot at getting some of these files back and while I admit to being a bad IT person and I'm not smarter than a 5th grader, I don't know what to do.

#524 callmescottay

callmescottay

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Reno, NV
  • Local time:08:58 AM

Posted 07 October 2013 - 12:05 PM

This is going to sound bizarre, but could someone tell me where I can download this virus?

 

I own an IT company and recently came across this virus on a new client's computer (one that has not hired me to maintain computers/backups). It has struck the fear of God into me because I am responsible for maintaining the backups of many companies, and this virus has made me question whether or not my practices are capable of standing up to this threat. The client that contracted this had a local external HDD backup, which got encrypted along with all of their other files, so they were completely hosed. My backup plan goes a lot deeper than that, of course, but I just want to do some testing on my bench machines to see how this virus operates, what it targets and how I can be sure that my clients are protected.

 

Feel free to send me a PM if you can help me intentionally infect my computer! Well, my bench computer anyway =P



#525 Netghost56

Netghost56

  • Members
  • 854 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:10:58 AM

Posted 07 October 2013 - 12:33 PM

That's a tall order, when you can't verify your credentials....how do we know you're not just planning on wreaking havoc on someone?






7 user(s) are reading this topic

0 members, 7 guests, 0 anonymous users