Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What is Ransom-FOO!htm virus?


  • This topic is locked This topic is locked
5 replies to this topic

#1 headgeek

headgeek

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 12 November 2014 - 09:48 PM

My Mcafee is showing that a number of files are infected with Ransom-FOO!htm virus but I can find very little about this virus. When I look at McAfee site and look at the regional statistics I see that this virus is occurring frequently but there is no information about it -- for example, removal, how it is transmitted, etc. I looked at other vendors sites -- Symantec, Sophos, etc and can't even find it. Does anyone know what it is and what to do about it? More importantly how it is spread so I can avoid it in the future.

 

Thanks.



BC AdBot (Login to Remove)

 


#2 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 6,133 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:03 PM

Posted 12 November 2014 - 11:06 PM

http://www.reddit.com/r/sysadmin/comments/2lo550/ransomfoo/

 

http://www.bleepingcomputer.com/forums/t/555654/dllhostexe32-com-surrogate-ransom-foohtm-issues/


Condobloke ...Outback Australian  fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

“A man travels the world in search of what he needs and returns home to find it."

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

 GcnI1aH.jpg

 

 


#3 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 6,133 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:03 PM

Posted 12 November 2014 - 11:12 PM

and....follow this one.....I would warn you however DO NOT use the fixlists from this page.....just observe for now

 

 

Have you been sent any ATTACHMENTS in an email recently ?.....which you opened.....???....maybe something that you don't usually receive.....?


Edited by Condobloke, 12 November 2014 - 11:15 PM.

Condobloke ...Outback Australian  fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

“A man travels the world in search of what he needs and returns home to find it."

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

 GcnI1aH.jpg

 

 


#4 headgeek

headgeek
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 13 November 2014 - 08:25 AM

Yes. I found those but those were the only ones I found which I found somewhat strange for something that appears to be occurring fairly frequently. I do expect this came in via an attachment. I was looking for more of the formal description where the AV Vendors tell you about what to do and how it spreads, etc. Also I found it interesting that the only AV vendor which has anything on it is McAfee. That doesn't seem right as other vendors must be seeing this also so I am guessing that it might have a different name. Based upon the lack of info, I am thinking this might be something new and fairly wild? Thanks.



#5 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 6,133 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:03:03 PM

Posted 14 November 2014 - 01:18 AM

Upload the file/s to VirusTotal  


Condobloke ...Outback Australian  fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

“A man travels the world in search of what he needs and returns home to find it."

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

 GcnI1aH.jpg

 

 


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:03 AM

Posted 14 November 2014 - 04:31 AM

Each security vendor uses their own naming conventions to identify various types of malware.

Crypto malware, like other forms of ransomware, is also typically spread through social engineering and user interaction...i.e. opening suspicious emails and opening an infected word docs with embedded macro viruses and sometimes via exploit kits. It can be disguised in email attachments which appear to be legitimate correspondence from reputable companies such as banks and Internet providers or UPS or FedEx with tracking numbers. Attackers will use email addresses and subjects (i.e. example) that will entice a user to read the email and open the attachment.

US-CERT advises there have been reports that some victims encounter the malware after clicking on a malicious link within an email or following a previous infection from botnets such as Zbot/Z-bot (Zeus) which downloads and executes the ransomware as a secondary payload from infected websites. Other types or crypto malware have been reported to spread on YouTube ads, via browser exploit kits and drive-by downloads when visiting compromised web sites.

From the reddit.com article...

The only evidence of anything wrong is the DECRYPT_INSTRUCTIONS.txt and .htm files on the respective workstations


CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

CryptoWall is essentially a new variant of CryptoDefense.
- ransom is $1000 USD.
- leaves files named DECRYPT_INSTRUCTION:
DECRYPT_INSTRUCTION.TXT
DECRYPT_INSTRUCTION.HTML
DECRYPT_INSTRUCTION.URL


CryptoWall 2.0 uses its own TOR gateways...see Updated CryptoWall 2.0 ransomware released that makes it harder to recover files.

There is also a lengthy ongoing discussion in this topic: CryptoWall - new variant of CryptoDefense.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users