Hi all. This is my first post here. I have been a computer nerd since 1962. Darn, did I really admit to that. I started my career at Cape Canaveral in 1962 as a scientific programmer. My last position was at JPM where I was an Assembler programmer on large IBM mainframes.
Sorry about the title but I wanted this thread to be an attention getter.
Fortunately for me, I did not get this Malware. My friend (non nerd) did and I started looking into it and discovered the following:
The files CANNOT be decrypted as they are not encrypted. The technique they used was to overlay the beginning part of the file with that "File is encrypted" message screen with a PNG (Portable Network Graphics" format.
Open the affected file in NOTEPAD (make sure you select all files instead of *.txt files) and you will see the PNG header string which starts with IHDR. Then do a find (ctrl-f) and find IEND.
After the IEND will be whats left of your original file. In essence the PNG data string overlays the first 25,486 bytes.of your trashed file.
Whatever program you use to open the affected file recognizes the PNG format and processes it until it encounters the IEND. The remainder of your trashed file behind the IEND is ignored.
This is the reason the properties information for the file still reflects the original data so one might think that the entire file is there.
Wikipedia has an excellent description of the PNG format. Look under "2 PNG Working Group". Wikipedia also has a good explanation on why thumbnails can be seen normally although the corrupted file is not visible.
I will try and include a screen image of my Notepad sessions. This is the actual data placed over the destroyed files.I created this file by taking a corrupted file and removing everything after the IEND parameter.
The second image is a display of how the JPG file looks after the the overlay is done. Note the IEND in blue followed by the JPG data.
Dirtydecrypt Notepad image.jpg 123.2KB 30 downloads Dirtydecrypt overlaying JPG file.jpg 48.89KB 29 downloads
Edited by boopme, 30 August 2013 - 01:33 PM.