Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Maybe virus hidden in .doc


  • Please log in to reply
2 replies to this topic

#1 Barnack

Barnack

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:08:16 PM

Posted 02 January 2014 - 07:03 AM

Time ago i had dirty decrypt in my computer, and the virus encrypted many .doc and .xls files, inclused the book i'm writing.

After some months, some files magically decrypted themselves, and from that time i was able to open the files (with the new office).

I've just bought a new computer and i installed office 2003 (because i prefear it), with the microsoft's converter to read new docx in the old office.

However, while other new files (never crypted) both doc and docx correctly worked, the files that once were crypted made word stop to work everytime i added a symble.

Than, with some suspects, i opened with block notes a clean file and one of thoose that had been encrypted.

Apparently the encryption problem was solved, but i think that this may be only a trap: in fact there are several strange lines, when i open theese files with block notes.

 

In a normal file (never encrypted), i have always something like this:

ÐÏࡱᠠ              > þÿ                .          0      þÿÿÿ    -   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ...

text

...ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿR o o t   E n t r y                                             ÿÿÿÿÿÿÿÿ         À      F            pÀeM5Ï1   €       D a t a                                                        
 ÿÿÿÿÿÿÿÿÿÿÿÿ                                   
          1 T a b l e                                                           ÿÿÿÿ                                              W o r d D o c u m e n t                                               ÿÿÿÿ                                        .      S u m m a r y I n f o r m a t i o n                           ( ÿÿÿÿÿÿÿÿÿÿÿÿ                                              D o c u m e n t S u m m a r y I n f o r m a t i o n           8    ÿÿÿÿÿÿÿÿ                                    %          C o m p O b j                                                 ÿÿÿÿÿÿÿÿÿÿÿÿ                                        u                                                                           ÿÿÿÿÿÿÿÿÿÿÿÿ                                                   þÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ þÿ
  ÿÿÿÿ      À      F#   Documento di Microsoft Office Word
   MSWordDoc    Word.Document.8 ô9²q                                                                                                                                                                                                                                                 

 

 

but in the encrypted ones there are some internet addresses between much more strange symbles than normal:

<a:clrMap xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" bg1="lt1" tx1="dk1" bg2="lt2" tx2="dk2" accent1="accent1" accent2="accent2" accent3="accent3" accent4="accent4" accent5="accent5" accent6="accent6" hlink="hlink" folHlink="folHlink"/>

 

I've not tryed to see where this http brings to, maybe is justa stupid thing, but, who knows? Shurely a person more expert than me can tell that this is nothing... or not, but i don't care of my personal impression.

 

If i understand how to add files, i'll post one of them. I changed theyr names (cmd > ren *.doc *.txt > it's faster than rename each one manually ;-) ) in .txt, to make shure that a "virus" does something...

 

Do you think i've to open them all with block notes, copy JUST the text (without symbols), and then paste it in a new, pute, clean document?

 

 

EDIT:

I've just read in google that the last thing i quoted is used fo colors... but i don't remember about colors in that fille...


Edited by Barnack, 02 January 2014 - 07:08 AM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:16 PM

Posted 02 January 2014 - 07:12 AM

That would be the binary data of the document but just incase:

Please download TDSSKiller exe version to your desktop. Double-click on TDSSKiller.exe to run the tool for known TDSS variants. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click on Change Parameters and click Detect TDLFS File System.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A TDSSKiller text file would be saved in Local Disk C.
  • Copy and paste the contents of that file in your next reply.
ADW Cleaner


Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#3 Barnack

Barnack
  • Topic Starter

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:08:16 PM

Posted 06 January 2014 - 12:18 PM

sry for the late answer...

before execute theese programs, if they detect something, i'll lost the documents?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users