Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ACCDFISA variation


  • This topic is locked This topic is locked
3 replies to this topic

#1 spiraldreams

spiraldreams

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 30 May 2012 - 01:30 PM

Greetings all. Long time reader, just registered because I'm actually stumped on this one.

Recently we had one of our users get a virus that runs a file encryption program on the PC and renames every file to a .crypt file extension. That led me to this site:

http://www.bleepingcomputer.com/forums/topic446111.html/page__st__120

I would have continued posting under that topic but its closed and I can't reply. At any rate, it seems that the perpetrators of that virus have modified it to some extent and I've got a Windows 7 workstation infected with it. I've attached a screenshot of what the program looks like when it runs. We've successfully removed the virus/mal-ware portion of the program, now we need to decrypt the data and that is where I'm running into difficulties. I found another article similar to the above link here:

http://forums.majorgeeks.com/showthread.php?t=258757&page=2

At any rate, I'm bringing the machine in so I can VM it and play with it while I reload the machine. I'm afraid the data on it is gone for now.

So as I mentioned and I'm sorry for bouncing everywhere, it encrypts the file with filename.fileexention.crypt, i.e. filename.docx.crypt. I've found some references with that file exention here:
http://www.download.hr/software-folder-crypt.html

I'm also finding reoccuring information about a program called whatsapp as well as an open sourced Linux that was recently resurrected from over a year ago in February of this year.

http://www.360haven.com/forums/archive/index.php/t-1137.html

As an FYI, the name of the program that the virus launches was called setsyslog32.exe

Any help would be appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:30 AM

Posted 02 June 2012 - 10:07 PM

Hello,

One of our expert Security Developers, Fabian Wosar has written a decrypter specifically to decrypt the files encrypted with the ransomware ACCDFISA variant.

The ransomeware uses the email address decryptmeplease@yahoo.com

Please download the decrypter from here

http://tmp.emsisoft.com/fw/decrypt_SetSysLog32.zip

save it to your desktop

unzip the file and run it:

Here are the instructions from the Developer:

The tool can be run in two ways:

If you just start it, it will automatically search for and decrypt files on your Windows installation drive.
If you start it with a parameter, you can search for and decrypt files in custom folders and drives (for example "decrypt.exe D:\" will decrypt all files on drive D:).


The tool will determine the decryption key automatically and perform validations that the files were decrypted correctly. Just in case though it will NOT delete the original .crypt files. If you see one of the following error message it means you most likely got hit by a new variant of the malware:

Could not find decryption key. Maybe a new variant?


An error occurred when trying to decrypt file <source file> to <destination file>!



The following error message though is normal and just indicates that the decrypted file could not be created as it is currently in use (like some LOG files for example):


Exception occurred while processing file <source file>:
Class: EFCreateError - Exception: Cannot create file "<destination file>".
The process cannot access the file because it is being used by another process



Please let me know how it goes so I can pass the progress along to the Developer

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:30 AM

Posted 07 June 2012 - 09:47 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:30 AM

Posted 11 June 2012 - 09:56 AM

closed

Edited by CatByte, 11 June 2012 - 09:59 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users