Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ACCFFISA Variant - Troj/Ransom-HC


  • This topic is locked This topic is locked
5 replies to this topic

#1 ExNavy91

ExNavy91

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 12 July 2012 - 10:32 AM

I have a customer who has had his files "encrypted" by this trojan. I was able to remove the trojan, but cannot undo the damage to his files. The wording in the "How to Decrypt" HTML file is almost identical to the ACCFFISA Ransomware. I found this ACCFFISA article:

http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

by searching on some keywords in it. By examining one of the files, it does look like it was encrypted with WINRAR V3.x. Also there was an empty RAR directory left on the hard drive with the creation date the same as the encrypted files. I tried the unencrypt information in the ACCFFISA post but it did not work. I can upload encrypted and unencrypted versions of some files, he did have a partial backup, but of course his important business files are too out of date to use the backup versions. I'm looking for the decrypt key.

Here is the text that follows each file's name:
filename.xxx(!! to decrypt email id 825678606 to sec777999@gmail.com !!).exe

The file below is the file that appears when you click on any encrypted file. It was the only file in a directory called - "kpugprxo" (Without the quotes)

Edited by m0le, 16 July 2012 - 07:51 PM.
removed file download


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:03 AM

Posted 16 July 2012 - 07:53 PM

Hello,

If you have cleaned the machine and there's irreversible file damage what is it you would like me to do?
Posted Image
m0le is a proud member of UNITE

#3 ExNavy91

ExNavy91
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 17 July 2012 - 08:12 AM

I was hoping that the file damage was not irreversible. According to an article at Emsisoft's site (http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/) there are 4 known variants of this virus. The first two have fixes, the second two do not. This seems to be a different variant of the virus than the ones in the article. I was hoping for some insight on decrypting the files. If it is based on the 4th variant, the files are encrypted by WINRAR, using a 50 character randomly generated string with a static prefix added on to create an encrypted SFX Archive. If I knew the static prefix, and whether the randomly generated string was lower case and numbers only, or a mix of upper,lower, numbers and symbols, I could try a brute force attack on the 3 essential files I need to recover.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:03 AM

Posted 17 July 2012 - 02:12 PM

Emsisoft's rep here stated that if the files are encrypted on the new variant then you can't do anything so we need to check which one your user has.

Do you have the log for the removal. If it shows as SetSysLog32.exe it is an old variant and decryption is possible.

If you have the vsdsrv32.exe version then you have no password saved (permanently) on the system and therefore you can't decrypt it.
Posted Image
m0le is a proud member of UNITE

#5 ExNavy91

ExNavy91
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:03 AM

Posted 17 July 2012 - 03:21 PM

Well, it seems to be the new one. SO I guess I'm out of luck. Thanks for your assistance

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:03 AM

Posted 17 July 2012 - 08:06 PM

Sorry I couldn't help further.

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users