Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptolocker Hijack program - live event


  • Please log in to reply
10 replies to this topic

#1 helping hands

helping hands

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 23 October 2013 - 11:56 PM

So i'm working hands on with the computer the person I am trying to help

 

I've restored the virused file and registry entries to the computer, the virus is running....

 

I've tried turning the internet on/off and I haven't gotten a RANSOM pop up yet.

 

I have wireshark on the computer, what should I be monitoring for?

 

I'm going to put a link, from the main Cryptolocker Hijack program thread to here to see who's game for assisting with this

 

Thanks again to any and all in advance for your help!



BC AdBot (Login to Remove)

 


#2 helping hands

helping hands
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 24 October 2013 - 12:42 AM

I've got 2 files that are actively running on the system

 

OVEG.EXE and so far it has been trying to reach US based IP addresses in Texas, on the SBC network....

 

then there is one of those obnoxious randomly generated files Clbhlrfqqsln.exe this file is running, but I can't see it

doing anything.

 

I've turned the internet off/on, no change in status



#3 helping hands

helping hands
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 24 October 2013 - 08:10 AM

There has still been no change in status of this computer, performed several reboots, shutdown, restarted, etc....

Continued to enable/disable the internet, no reaction.


Edited by helping hands, 24 October 2013 - 08:10 AM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:50 PM

Posted 24 October 2013 - 10:05 AM

Where is oveg located? %AppData%\<random>\Random.exe?

#5 helping hands

helping hands
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 24 October 2013 - 10:09 AM

%AppData%\roaming\Random?

 

In this case %AppData%\roaming\obmyud



#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:50 PM

Posted 24 October 2013 - 10:42 AM

OK, the OVEG.EXE located in AppData\roaming\obmyud is Zbot. I suggest you kill that process and remove the run entry for it in HKCU\Software\Microsoft\Windows\CurrentVersion\Run so it doesnt start again. It may eventually download cutwail, which could get your IP blacklisted.

As for the Clbhlrfqqsln.exe, this is CryptoLocker. I assume this is in root of AppData\Roaming?

Check your pms

#7 helping hands

helping hands
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 24 October 2013 - 10:55 AM

Cutwail? - I'll be looking into that - thank  you

Just Killed oveg.exe, will be removing related registry entries.

 

Clbhlrfqqsln.exe is located \AppData\local

 

Checking PMs



#8 helping hands

helping hands
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 24 October 2013 - 12:35 PM

Guess what, it just popped up.... I would say this is just about 25-26 hours after initial infection....



#9 helping hands

helping hands
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 24 October 2013 - 03:51 PM

We've been in waiting mode now for 3 hours..... tick...tick...tick....



#10 helping hands

helping hands
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 24 October 2013 - 06:58 PM

4.5 Hours or so into it..... got payment confirmation.... decerypted local workstation files re-introducing computer to network to have it continue....



#11 helping hands

helping hands
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 25 October 2013 - 12:08 AM

I have re-introduced the computer into the network, it continued the decryption, it has decrypted the files.

 

it did have an error on a file that was either in place, or out of place, but it continued.

 

Then it appeared to be restarting the scan again, which may be the behavior when there is any error.

 

Just to be safe, I disconnected it from the network, and the program stopped.

 

It stated to make sure important files were working, and that if there were any errors to move them to the desktop

and to click retry until the errors were gone, or press cancel and the software will be deleted from the computer.

 

I clicked cancel, and of course, I got a dialogue box that said " I'll be back "   Great, eh?

 

Anyways, i'm in the process of reconfiguring the backup.....

 

Seems like we made it through this one.... Not fun.....

 

Theoretically I have the Decryptor program which was downloaded from the website via the URL which was

provided on the splash page, and the public/private keys, and the your_private_key.bin file so I should be

able to return to decrypting later if needed.

 

I have a clone of the workstation post infection, pre payment activation, post payment activation.....

Continued full virus scans of the computer turned up some additional files, which I am not certain were there

in the early part of the infection, so I think it is possible additional objects were downloaded or spawned over

the episode...


Edited by helping hands, 25 October 2013 - 12:09 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users