Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New UKash Virus - Encrypted Files CR_M0x04


  • Please log in to reply
7 replies to this topic

#1 BoroRob

BoroRob

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 28 January 2013 - 03:45 PM

This is a new variant of the Ukash virus, other topics can be found on pchelpforum.com here and here.

This new variant apparently encrypts files with a Random encryption key per file so its impossible to recover lost files. I so hope this is not true! I'm hoping someone @ bleeping can fix this hence my post.

I am a PC Repair guy from the North East of the UK and this virus is becoming more and more frequent and users are destroyed that there files are lost, CV's, tax returns, the lot.. Gone.. Not good!

You can spot the encryption if you open a file with a text editor. At the start of the text you can see CR_M0x04i?. In all your encrypted files.

I really hope someone can make a tool to fix this.

I have attached 3 different encrypted jpegs here if anyone wants to take a look at the encryption. As far as I'm aware it's only common files that are encrypted, office documents, picture documents etc. Exe's seem O.k


Regards,
BoroRob

Edited by BoroRob, 28 January 2013 - 04:51 PM.


BC AdBot (Login to Remove)

 


#2 dango

dango

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 31 January 2013 - 10:53 AM

I'm a PC technician in the South of England and I've just had a PC brought in since it wouldn't boot.

I've spent a little while looking at the files. Luckily for me the PC is an HP/Compaq and had a couple of service packs in the root of drive C: I have been able to get an original AND and an encrypted file for comparison. It appears that the virus does the following:

Adds a sequence 1044 bytes long to the end of the file (i haven't checked to see whether this is the same for different files).
Overwrites the first 16468 bytes with garbage (or maybe encryption). The first 8 bytes are overwritten with the 'CR_M0x04' as described above.

The virus has also put a WARNING_ATTENTION.txt file on the desktop reading:
Warning! Files on your hard drives were encrypted. 
In a case you want get your data unencrypted, you will need to purchase 100 pounds Ukash voucher and send to our e-mail the unique 19 digit number of voucher.
An e-mail must be sent as wtitten below. All letters that did not fit the form will be ignored.
You will recieve an e-mail with an instruction how to decrypt data after we check the Ukash code you have sent.

------mail_form-----------------

to: crimeunit@yandex.com
Subject: decoding of files 802742FC4B43494E3130

ID of your computer: 802742FC4B43494E3130
Ukash code: 

--------------------------------

What's Ukash: www.ukash.com/en-GB/whats-ukash/
Get Ukash: www.ukash.com/en-GB/where-to-get/

If anyone is interested I will happily post the good/bad versions of the "same" files i have here...


Dan

#3 gmbrereton

gmbrereton

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 31 January 2013 - 07:14 PM

Dan - I have exactly the same issues, no scanner software identified [MS essentials, malwarye Bytes etc] a virus but I have 100's of encrypted files that I cannot use anymore, have you found any sort of solution yet?

#4 dango

dango

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 01 February 2013 - 07:44 AM

Dan - I have exactly the same issues, no scanner software identified [MS essentials, malwarye Bytes etc] a virus but I have 100's of encrypted files that I cannot use anymore, have you found any sort of solution yet?


No a solution as such, but many files (like outlook PSTs) can cope with the small amount of damage and can be repaired. I was able to repair 99.9% of a 5Gb outlook.pst using the scanpst.exe software that ships with office!

#5 bkeo

bkeo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 04 February 2013 - 05:22 PM

Im no technician so apologies if you guys have already tried this but i found that selecting each document by itself and restoring it to a previous version saved just about all my stuff, only problem i am having just now is my restore dates have gone

#6 Haarbs

Haarbs

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 05 February 2013 - 02:25 AM

Most of my files are encrypted by the latest version of the Ukash virus. Initially I tried Kaspersky Rannohdecryptor however it wouldn't work because every encrypted file is exactly 788 bytes larger than the original. The KR software requires both files to be exactly the same size so adding junk to each file renders it useless. I opened up files in text and also saw the CR_M0x04i at the start of each file.

#7 skullosaurus

skullosaurus

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 05 February 2013 - 08:14 AM

I too have a computer that's had most of the files encrypted, jpegs, docs etc. Encryption has occured on every file not in system areas.

My investigation of before and after files confirms Dangos analysis.

The problem here is that everywhere you look for help, it says "Dont pay, it's a scam, just remove the virus with AV tools and Malwarebytes"

Yes, that works, the virus is removed but you are left with these encrypted files and without a backup, probably no way of recovering them. I advise is no good.

Fortunately, its not my computer but I am going to have to tell the owner that he's an idiot for have out-of-date AV and no backup of his photos.
When will these people learn?

If anyone comes up with a solution please let us know.

#8 sbpetrack

sbpetrack

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 03 March 2013 - 02:25 PM

I was hit with this version of the Ukash virus in late January, and unfortunately an external hard drive with over a terabyte of personal files (photos, videos, tax returns, the works) was encrypted. From the "Date Modified" fields, it seems that the virus took a bit of time to encrypt such a large number of files before it actually showed itself on my screen. 

I realized a few weeks ago that restoring a previous version of the file works -- when there is a previous version. For whatever reason, a certain number of my files don't seem to have any previous version. 

 

The bottom line is that I have tens, and probably hundreds, of files in their original and encrypted versions. Like everyone else, the encrypted file is exactly 788 bytes longer than the original file in every case. (In fact, I found this thread in this forum by doing a google search on the string "corrupted file is 788 bytes larger than the original"). 

 

I just don't have hours right now to spend on this, but occasionally i devote what time I can. (Today's progress, for example, was finding this forum :)). But I can say that the three pairs of files I examined today all had the Encrypted file begin with the following 20 bytes (and not 8 bytes as mentioned earlier):

43 52 5F 4D 30 78 30 34 EC 37 00 00 14 03 00 00 00 38 00 00

 

I'm afraid that my desktop is so cluttered that I didn't ever notice the ransom note until I was directed to it by the post earlier in this forum. in my case, the note reads as follows:

 

----beginning of ransom note from ukash virus------------------------------------------------------------------

 

 

 

Warning! Files on your hard drives were encrypted. 
In a case you want get your data unencrypted, you will need to purchase 100 pounds Ukash voucher and send to our e-mail the unique 19 digit number of voucher.
An e-mail must be sent as wtitten below. All letters that did not fit the form will be ignored.
You will recieve an e-mail with an instruction how to decrypt data after we check the Ukash code you have sent.
 
------mail_form-----------------
 
to: meinny@hotmail.de
Subject: decoding of files 6E7920514C2D5449414F
 
ID of your computer: 6E7920514C2D5449414F
Ukash code: 
 
--------------------------------
 
What's Ukash: www.ukash.com/en-GB/whats-ukash/
Get Ukash: www.ukash.com/en-GB/where-to-get/
 
--------------------------end of ransom note from ukash virus----------------------------
 
This note raises a few questions:
 
1. Is ukash at all a respectable company? Or is it itself owned/operated by the virus creators? I ask because if it is respectable, then it might well be the case that it would be willing to cooperate with a group of virus victims and the authorities to track down the attackers. That is, ukash could create some special vouchers worth $100, victims would send the vouchers to the attackers, the vouchers would be redeemed by the attackers, who would presumably have to learn from their banks that $100 was actually deposited into an account before they released to unencryption key, but, well I don't want to say more than I need to here. 
 
I am very much a newbie when it comes to these sorts of criminals, but I have to assume that someone involved with Bleeping Computer might be more experienced. I am certainly willing to help catch these people (and I'm willing to get my lost files back too :)). 
 
2. I note that the address in my ransom note is at hotmail.de. I imagine that it is against hotmail.de terms of use for someone to use that account to defraud and steal in this way. So perhaps hotmail.de could also help in the tracking and tracing of special-purpose ukash vouchers created for these people. 
 
Please contact me if I can help (or be helped) by someone competent to pursue this line of thought. 
 
In that meantime, system restore is being my friend. 
 
thank you





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users