Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New FBI Moneypak version


  • Please log in to reply
7 replies to this topic

#1 cfourkays

cfourkays

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jensen Beach FL
  • Local time:01:59 PM

Posted 14 August 2013 - 12:25 PM

My customer running XP called with another case FBI Moneypak. At the customer's premise found (to me anyway) a new version of Moneypak I hadn't seen before, this one FBI and Homeland Security accusing the owner of kiddie porn, and on the static warning page, there were 4 images of what I assume is the porn right across the center of the page.

 

I couldn't remove it using System Restore and a Registry Restore booting from a Spotmau or a UBCD4Win disk.

 

Found I could boot to Command Prompt and access Windows Explorer.

Tried our usual mixed bag of tricks, none worked until I used the Emsisoft, full scan. followed by Combofix

 

Only problem after scan was that all Norton programs would not open or run.

Had to reinstall.

 

I have the log from Combofix. let me know if you want a copy. Lost the one from Emsisoft.

 

Pete


[URL=http://petespcworks.com/petehand.gif]

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:59 PM

Posted 15 August 2013 - 03:39 PM

Were any files encrypted? The new DirtyDecrypt screens have these porn images you describe. Havn't seen it yet in Reveton or Urausy, but will check in a bit.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:59 PM

Posted 15 August 2013 - 04:45 PM

Just checked the latest samples I have and cant find the one you are referring to. Is this the one you saw?

obscured.jpg

#4 cfourkays

cfourkays
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jensen Beach FL
  • Local time:01:59 PM

Posted 15 August 2013 - 05:29 PM

Close.

The 4 images were further down and more centered. Customer agrees.

 

Had I known I would have saved more.

 

A bit from my Combofix log

_________________________________________________________________________________________________________________________________________________________

 

Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Dirty
c:\documents and settings\Administrator\Application Data\Dirty\alertwall.jpg
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\NetworkService\Application Data\searchqutoolbar
c:\documents and settings\NetworkService\Application Data\searchqutoolbar\dtx.ini
c:\documents and settings\NetworkService\Application Data\searchqutoolbar\preferences.dat
c:\program files\Brand Affinity Technologies
c:\program files\DefaultTab
c:\program files\DefaultTab\DefaultTab.crx
c:\program files\DefaultTab\DefaultTabSearch.exe
c:\program files\DefaultTab\uid
c:\program files\DefaultTab\uninstaller.exe
.


[URL=http://petespcworks.com/petehand.gif]

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:59 PM

Posted 15 August 2013 - 07:49 PM

Yeah, thats DirtyDecrypt. You may find that the user's data is encrypted now.

These are the related files:

c:\documents and settings\Administrator\Application Data\Dirty
c:\documents and settings\Administrator\Application Data\Dirty\alertwall.jpg

#6 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:05:59 AM

Posted 16 August 2013 - 03:35 AM

Yeah, thats DirtyDecrypt. You may find that the user's data is encrypted now.
These are the related files:
c:\documents and settings\Administrator\Application Data\Dirty
c:\documents and settings\Administrator\Application Data\Dirty\alertwall.jpg


The main reason why "DirtyDecrypt" can do so much damage, is because you are surfing the Internet in the "Administrator" account. If infected, it has full administrator rights and can make changes at will.

Activate (turn on) the "Guest" account, and disable all scripting on all the web browsers on the PC. Activate scripting only for trusted web sites. Always surf the Internet in Guest account, for general web surfing.

Internet Explorer: disable all JavaScript, Active X, and set your security settings to 'high' or disable scripting completely.
Firefox: install NoScript, and Ghostery add-ons if you want to stop trackers.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#7 peterjwfrench

peterjwfrench

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, Cheshire
  • Local time:05:59 PM

Posted 16 August 2013 - 08:59 PM

I havoffe dirtyecrypt.exe stuck on my external hard drive with all my backed up data, I want to remove DirtyDecryt so I can view data off my extenal harddrive  an do a re install data, any ideas on how to sort this any help much appreciated.



#8 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:05:59 AM

Posted 16 August 2013 - 10:41 PM

I havoffe dirtyecrypt.exe stuck on my external hard drive with all my backed up data, I want to remove DirtyDecryt so I can view data off my extenal harddrive  an do a re install data, any ideas on how to sort this any help much appreciated.



Cross posting. Read http://www.bleepingcomputer.com/forums/t/501540/ransomcrypt-dirtydecryptexe-uses-efs/page-6#entry3132614

Or are you saying that "dirtyecrypt.exe" is in your operating system image backup??
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users