Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus using Axcrypt .axx extension on all documents


  • Please log in to reply
16 replies to this topic

#1 Fardooste

Fardooste

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 28 November 2014 - 11:55 AM

I have a user whose network files are suddenly ending in .axx, showing typical encryption virus signs (network drives, alphabetical order, strange start timeetc). googling it shows this is an axcrypt extension.  which virus is this, and how do I remove it? Thanks. 


Edited by Fardooste, 28 November 2014 - 11:59 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,112 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:22 AM

Posted 28 November 2014 - 05:44 PM

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:22 AM

Posted 28 November 2014 - 06:48 PM

Please submit a sample of the encrypted file http://www.bleepingcomputer.com/submit-malware.php?channel=3

Also do you have any of the malware files that you suspect were involved? If so, please submit to the above address as well.

#4 Fardooste

Fardooste
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 29 November 2014 - 10:44 PM

I should have saved the virus, but I was in a rush and it was the company owner whose computer infected the system (based on file owner of all the axx files) who was on the phone. I'm sure i'll see this infection again (we have a lot of small businesses whose workers  love clicking on links and opening emails ) . I did send some encrypted files though. I grabbed a few to make analysis easier. 


Edited by Fardooste, 29 November 2014 - 10:52 PM.


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:22 AM

Posted 03 December 2014 - 06:46 PM

We are still looking for the installer for this. If it pops up again, please let us know.

#6 Fardooste

Fardooste
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 04 December 2014 - 12:21 PM

Update-  What I thought was the virus wasn't it. By Monday morning the user's own desktop files were encrypted with axcrypt, and we had to pull the machine. It wasn't wiped yet, so i will try checking it for the file if i can. 


Edited by Fardooste, 04 December 2014 - 12:22 PM.


#7 Fardooste

Fardooste
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 05 December 2014 - 10:13 AM

update- i uploaded some stuff from programdata. working on regedit now for ntuser.dat

Only suspicious thing  i see (I'm a beginner at this, ntuser.dat is bigger than allowed here in submit malware sample) is this line in windows\runonce:

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe  --incognito --extensions-on-chrome-urls --test-type --load-extension="c:\Program Files\Google\Chrome\Application\Extensions\chrome\app" --flag-switches-begin --flag-switches-end --restore-last-session

also,  we were able to restore using r-studio, so it does the copy before encrypt deal.



#8 Fardooste

Fardooste
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 05 December 2014 - 10:50 AM

Also sent some chrome info. please let me know what else you need. Happy to stop these criminals. 



#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:22 AM

Posted 08 December 2014 - 02:14 PM

Sorry for the delay. Looking a it.



#10 Fardooste

Fardooste
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 08 December 2014 - 02:18 PM

Thanks



#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:22 AM

Posted 08 December 2014 - 02:40 PM

I tried finding something, but there are just too many urls to sift through.

 

If you want to give it a whirl, the chrome databases are in SQLite. You can download a SQLite database browser here:

 

http://sqlitebrowser.org/



#12 Fardooste

Fardooste
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 08 December 2014 - 02:45 PM

is there anything else I can give you that might help you narrow it down?  



#13 Fardooste

Fardooste
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 08 December 2014 - 05:00 PM

update- I heard someone overseas managed to brute-force the encryption for a different victim. I heard my boss recovered the installer, working on getting it to you. 



#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:22 AM

Posted 08 December 2014 - 05:28 PM

K. without the installer going to be hard.

#15 Fardooste

Fardooste
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:10:22 AM

Posted 24 December 2014 - 11:14 AM

Final followup- someone from overseas was able to restore files. apparently it wasn't a real encryption. It involved (this is third-hand)subracting registry keys to crate a decryptor






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users