Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus files encrypted do not think is cryptovirus


  • Please log in to reply
18 replies to this topic

#1 jb75

jb75

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:04 AM

Posted 10 December 2013 - 11:55 AM

Hi,

I have a computer that most files have been encrypted.  The virus left behind in each directory a howdecrypt.txt document and a howdecrypt.jpg file saying to go to http://www.torproject.org/projects/torbrowser.html.en and install the browser then enter address: 4sfxctgp53imlvzk.onion.  Follw instructions.  Guaranteed recovery is provided within 10 days.

Has anyone encountered this before?

Thanks,

jb75

 



BC AdBot (Login to Remove)

 


#2 DrDataRex

DrDataRex

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 10 December 2013 - 12:01 PM

I havent encountered that at all. 

 

What were the circumstances behind what happened. When did you first notice the issue,? Was it after you turned on your PC, in the middle of working on something...?

 

Thanks,

 

DDrex



#3 jb75

jb75
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:04 AM

Posted 10 December 2013 - 12:05 PM

It was a user on the evening shift yesterday.  The user never let me know.  The create time for the txt and jpg is 5:09PM 10/9/13



#4 DrDataRex

DrDataRex

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 10 December 2013 - 12:17 PM

Ok JB, it appears that this is due to a bad download of a TOR file, infected with the virus. I found this site with some more information. Check it out, try it and let me know if it helps you. Somebody at the office at your work typically download torrents?

 

http://forum.precisesecurity.com/computer-security/folder-name-changed-to-how-to-decrypt-files-txt

 

Let me know if it helps.

 

DDRex



#5 jb75

jb75
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:04 AM

Posted 10 December 2013 - 01:51 PM

I tried all that.  Did not work.  Dr. Web .com only takes virus file submissions from their customers.   Sent the files to Symantec.  Think this is a newer version of the virus your link sent me to.  There was no mention of request for money.



#6 jb75

jb75
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:04 AM

Posted 10 December 2013 - 04:04 PM

This is what the text file says:

All files including videos, photos and documents on your computer are encrypted.

File Decryption costs ~ $ 500.

In order to decrypt the files, you need to perform the following steps:
1. You should download and install this browser http://www.torproject.org/projects/torbrowser.html.en
2. After installation, run the browser and enter the address: 4sfxctgp53imlvzk.onion
3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.

Guaranteed recovery is provided within 10 days.

IMPORTANT INFORMATION:

Your Personal CODE: 00000001-E4FF8F7A



#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:04 AM

Posted 13 December 2013 - 11:37 AM

If anyone has any copies of the infection files, please submit them to http://www.bleepingcomputer.com/submit-malware.php?channel=3

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:04 AM

Posted 13 December 2013 - 11:37 AM

Also, that DrWeb utility I believe is for a different infection unfortunately.

#9 IOvei

IOvei

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 13 December 2013 - 12:39 PM

If anyone has any copies of the infection files, please submit them to http://www.bleepingcomputer.com/submit-malware.php?channel=3

I'm trying, but the permissions are wonked up, I cannot get to it in the local machine, and I cannot get to it if I connect the HDD as an additional drive on another machine. I could spend all day trying to take ownership of the drive and reset permissions, but so far it isn't looking like an easy thing to do, so I'm going to bring up a virtual copy and see if I can get one from there. More hopefully in a few minutes...



#10 IOvei

IOvei

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 13 December 2013 - 12:50 PM

If anyone has any copies of the infection files, please submit them to http://www.bleepingcomputer.com/submit-malware.php?channel=3

You should have it now...



#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:04 AM

Posted 13 December 2013 - 02:46 PM

Got it and installing

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:04 AM

Posted 13 December 2013 - 03:08 PM

Hmm...that file is malware but does not appear to be what does the encrypting. Anything else on there?

#13 IOvei

IOvei

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 13 December 2013 - 03:23 PM

Yes there was, but I'lll need to pull up what it was that HitMan Identified. I'll try to corral all of them and get them to you.



#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:04 AM

Posted 13 December 2013 - 03:28 PM

K..thanks

#15 IOvei

IOvei

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 13 December 2013 - 03:41 PM

Hmm...that file is malware but does not appear to be what does the encrypting. Anything else on there?

OK, I just sent you a pile of possibilities. There may be a couple more, but I'll need to revert back to the original image I think to get at them. I've got to leave for a couple of hours, but I wil check this thread as soon as I get back.

 

Thanks!!

dce






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users