Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BandarChor Ransomware (<filename>.<id>-<10 digit random number>_<email>) Support


  • Please log in to reply
147 replies to this topic

#31 Acinony

Acinony

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 13 March 2015 - 03:33 AM

@MeisterYoda: I found some sort of manual online to remove it from the registry.

 

So some things i removed manualy, after that I've run about 4 programs to remove malware, virusses, spyware etc.

 

I've tried shadow copy and panda decrypt, but nothing works.

There are no back ups to be found.

 

All of my drives, I have three hdd: C/D/E are infected. So I did not try to go back to an earlier periode through windows restore because of the files that I need are on D and E. (back up was off unfortanatly.)



BC AdBot (Login to Remove)

 


m

#32 luckym

luckym

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 13 March 2015 - 04:27 AM

I was in contact wit the guy and wanted to pay him. However, I can't send him emails any more. Anyone has maybe another address?



#33 Acinony

Acinony

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 21 March 2015 - 12:20 PM

So still no cure.... I have put my encrypted files I really want back on a small drive (75Gb).

Hopefully there will be a solution in the future so I can decrypt them and get back my files. :-(

 

If some has news please share it.



#34 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:06:17 PM

Posted 27 March 2015 - 10:38 AM

Does anyone have the executable file containing the ransomware's payload?  Would like to analyze it.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#35 domyrat

domyrat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 28 March 2015 - 03:58 AM

Mike, i think i sent the files that crpyto uses to bleepingcomputer upload. Maybe i can find them and send them to you.



#36 cromadness

cromadness

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 01 April 2015 - 02:11 PM

Hi guys. I have the same problem. But i cant detect the source. I have cca 160 pc on my network and nobody is screaming that they have virus, or that their files are locally encrypted but all files on mapped share for some folders  is encrypted "name of the file_fudx@lycos.com" except exe, bat... mostly doc, docx, ...

 

They all have TM OfficeScan v11, up to date, but that obliviously doesnt matter.  

 

6 plp have mapped one specific folder on qnap NAS and i scan all six plp pc for viruses nothing found. But there are others, and mapped folders with domain\users privileges.

 

Thankfully i have backup of the data but, how to detect the infected pcs, and not going foot by foot to all of them?

 

Tx

 

best regards

 

sorry for english, kinda in a rush and not my mother language.



#37 bookwormz

bookwormz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Europe, Bulgaria
  • Local time:01:17 AM

Posted 07 April 2015 - 10:49 AM

Hi,

is "name of the file_fudx@lycos.com" the same as "_fud@india.com"?

I got the one, and most of my files got an additional "_fudx@lycos.com". Also some on a shared foled (full access, duh).

Luckily I pull my network cable before the malware finished, but couldn't find any executable on the system (WinXP sp3).

The system is running now, but isolated from the network. No suspicious activity there.

Also did not show any ransom messages.

Is there a chance to recover encrypted files?

I assume this version is quite new, as long as I couldn't find enough information about it...

 

Tried to run SpyHunter, but except for some "malicious" cookies it couldn't find anything.

Also the Temporary Internet Files folder was completely delete.

 

Thank you!

 

p.s. Sorry, for my broken English.


Edited by bookwormz, 07 April 2015 - 10:53 AM.


#38 bookwormz

bookwormz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Europe, Bulgaria
  • Local time:01:17 AM

Posted 07 April 2015 - 11:07 AM


How about the similarity?

#39 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,106 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:17 PM

Posted 07 April 2015 - 12:31 PM

It appears similar and so I have reported it to our experts who specialize in crypto-malware.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#40 bookwormz

bookwormz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Europe, Bulgaria
  • Local time:01:17 AM

Posted 07 April 2015 - 03:07 PM

I know it might be silly, but anyway...
Will it be of any help if I have a pair of encrypted and original file?

#41 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,106 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:17 PM

Posted 07 April 2015 - 03:33 PM

You can submit a sample of an encrypted file here: http://www.bleepingcomputer.com/submit-malware.php?channel=3
with a link to this topic.

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that would be helpful with analyzing and investigating.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#42 rlaudi

rlaudi

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 08 April 2015 - 07:13 AM

Hello Guys, and thank you for your work

i'm from italia and work in no profit company one pc is attaccked from this vrius i submit a file i hope that you can find a solution from the encrypted file

thank you soo much!

Rudy



#43 Goran Cro

Goran Cro

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 08 April 2015 - 08:23 AM

Dear Sirs, im from Croatia
31.3. started my nightmare.
I plugged back up drive to make a back up my CDR file (CorelDraw) and we all encrypted data with
*.fudx@lycos.com. I was looking on the internet solutions, but because the data is very important to me, I decided to pay the ransom. Contact've had through the mail, I paid the ransom and waited for the key, I got the key to all the kids started decoder and icon files were starting to show. Mostly decrypt all files except for a few not, but open just 3% of files, the others could not. I bring them to mail what happened, send me a new key to try and locked all files. Of course I was asked to send files to try.
Now the files are without extensions. . Now I'm not in touch with them because they put me on the blacklist.
I have the same two CDR file one is encrypted and the other is not because he was on the second disk, so I guess failed.
Please Help


#44 rlaudi

rlaudi

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 09 April 2015 - 08:39 AM

i dont know if it's intersesssing ....  with a original file and enrypted files i found a file 242xxx232xxx.key it's Important?



#45 Acinony

Acinony

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 09 April 2015 - 11:16 AM

i dont know if it's intersesssing ....  with a original file and enrypted files i found a file 242xxx232xxx.key it's Important?

How did you find this key en have you tried to unlock encrypted files with this key ?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users