Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

<filename>.<id>-<10 digit random number>_<email> BandarChor Ransomware Support


  • Please log in to reply
140 replies to this topic

#1 domyrat

domyrat

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 25 February 2015 - 03:02 PM

We got hit again with new Crypto ransomware. This time it's <extension>.id-<number>_fud@india.com
From the info i got now, it encrypts all kind of documents.
Sample file is encrypted in this way: testfile.pdf.id-1234567890_fud@india.com
 
Here is the ransomware note:
 
0zpDM0m.png
 
 
This is what ESET NOD32 v5 reported:
 
gjgyTu5.png
 
What i don't get is why NOD32 didn't kill it instantly as it tried to do ANYTHING???
 
User which got this crypto is limited rights windows xp sp3 domain user.
 
Any suggestions?

Edited by quietman7, 16 June 2016 - 06:50 AM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:45 PM

Posted 25 February 2015 - 04:16 PM

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here: http://www.bleepingcomputer.com/submit-malware.php?channel=3
with a link to this topic.

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:45 PM

Posted 28 February 2015 - 02:33 PM

We don't have much info on this ransomware. It may be related to this one...Word document files encrypted? decode@india.com
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 domyrat

domyrat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 28 February 2015 - 02:58 PM

I will fill in more info tomorrow



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:45 PM

Posted 28 February 2015 - 03:47 PM

Ok but you probably would be better served posting in that other topic so you can exchange information with other affected users who are already subscribed there.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 domyrat

domyrat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 01 March 2015 - 03:50 AM

This is not the same crypto, as you can see even from the name of the files.



#7 domyrat

domyrat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 01 March 2015 - 08:22 AM

Ok, here is the intel I managed to gather from infected machines:

 

 

Encrypting all document files (doc, xls, xlsx, ......), database files (db, .......), .pst, .zip, .bak, .txt, .......

 

 

Source of infection - probable (not sure about this)

 

Email with:

 

From: "Leonia Cardle" <aligner@anmapet.com>

Subject: Am Weinkastell 26 55270 Klein-Winternheim

Date: Wed, 28 Jan 2015 15:48:02 +0100  

Attachment: am_weinkastell_26_55270_klein-winternheim.cab - categorized as Win32/TrojanDownloader.Elenoocka.A trojan by NOD32

 

 

Registry

 

Windows XP

<no data>

 

Windows 7

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

 

"<4-5letterfile>.exe"="\"C:\\Users\\<username>\\AppData\\Roaming\\<4-5letterfolder>\\<4-5letterfile>.exe"  - several instances of those folders and .exe files

 

 

Working of _fud@india.com Ransomware

 

 

*Creating ?? random letter folders and creating random ?? letter .dll, .tmp and .exe files to these folders

 

Windows XP

 

C:\Documents and Settings\<username>\Start Menu\Programs\Startup\fud.bmp - ransomware note

C:\Documents and Settings\All Users\Application Data\Microsoft0\auaucdlve.exe - http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%253aWin32%252fNeurevt.A&ThreatID=-2147287351&Search=true#tab=2

C:\Documents and Settings\<username>\Local settings\Temp\<4lettername>.tmp

 

Windows 7

 

C:\Users\<username>\AppData\Local\<4lettername>.tmp

C:\Users\<username>\AppData\Local\Temp\<3-?letterfile>.dll - several instances of those .dll files

C:\Users\<username>\AppData\Local\Temp\<??letterfile>.exe - several instances of those .exe files

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<4lettername>.tmp

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fud.bmp - ransomware note

C:\Users\<username>\AppData\Roaming\<4-5letterfolder>\<4-5letterfile>.tmp - several instances of those folders and .tmp files

C:\Users\<username>\AppData\Roaming\<4-5letterfolder>\<4-5letterfile>.exe - several instances of those folders and .exe files

C:\Users\<username>\AppData\Roaming\<??letterfile>.exe - at the time of investigation, NOD32 did not recognize it (28.02.2015, around 12:30h), today classified as "a variant of Win32/Kryptik.COCJ trojan"

 

jzXjITp.png

 

AkrnStJ.png

 

 

Ransomware note

 

 

0zpDM0m.png


Edited by domyrat, 01 March 2015 - 08:23 AM.


#8 domyrat

domyrat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 01 March 2015 - 08:35 AM

Uploaded the files with folder paths to http://www.bleepingcomputer.com/submit-malware.php?channel=3



#9 Vedran2015

Vedran2015

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 01 March 2015 - 03:49 PM

25/02/2015 ( 11:40 PM , Croatia ) my computer is infected with ransomware crypto extension .id- <number > _fud@india.com. An antivirus program recognized him but he could not stop. The virus is removed or all files ( PDF, DOC , DWG ) I was encrypted with the extension .id- <number > _fud@india.com .

If anyone knows how to decode these files ....... please help me.



#10 domyrat

domyrat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 02 March 2015 - 01:51 PM

Should we put this in some other forum part or this topic is where it should be?



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:45 PM

Posted 02 March 2015 - 01:57 PM

You are infected and this forum is for those who need help with infection...just like the other similar one I noted above.

I already advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic. If they are not responding, it is because they do not know enough about this particular infection.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 domyrat

domyrat
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 03 March 2015 - 06:38 AM

Ok, then we need to wait....



#13 FigureGR

FigureGR

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:45 PM

Posted 04 March 2015 - 03:16 PM

Unfornutatelly we did pay the ransom! This god damn thing didnt just encrypted the files but also erased all the shadow copies! I had no other solution than to pay those m@thorf@ckers!

If i can help in any way with the infected file or the same file decrypted or the decoder program, please let me know...



#14 EICT

EICT

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 04 March 2015 - 03:46 PM

Having the same problem as FigureGR but didn't got a popup on any of the machines used and no trace found of the virus..... In strong need of the data so allso think of paying them. What's your experience FigureGR (I have send you a message). 



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:45 PM

Posted 04 March 2015 - 04:49 PM

As is typical with a lot of these newer ransomware infections, they delete all Shadow Volume Copies so that you cannot restore your files via System Restore or using a program like Shadow Explorer...but it never hurts to try in case the infection did not do what it was supposed to do.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users