Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Filecoder.CR trojan


  • This topic is locked This topic is locked
3 replies to this topic

#1 sultanb

sultanb

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 13 July 2015 - 05:59 AM

Hello for everybody.
How to decrypt Files encrypted by Win32/Filecoder.CR trojan?
Any Help
Thanks
:hello:

Edited by computerxpds, 13 July 2015 - 06:49 AM.
Moved to Gen Sec from BC announcements


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 AM

Posted 13 July 2015 - 09:19 AM

Win32/Filecoder is a crypto malware infection detected by ESET. According to their research lab, there are several different variants for which they add a modifier or additional information after the name that further describes what type of ransomware it is. Most of the Filecoder threat detections are more commonly identified as CryptoLocker, Cryptowall, and CTB locker.Detailed description for the Win32/Filecoder.CR variant is not available.

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .xyz, .CTBL, .CTB2, .XTBL, .encrypted, .vault, .HA3, .toxcrypt or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html, .txt, .png, .bmp, .url file.

These are some examples.
HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG
HELP_TO_DECRYPT_YOUR_FILES.bmp, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt
HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.bmp, RECOVERY_KEY.txt
DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.URL
About_Files
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 sultanb

sultanb
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 14 July 2015 - 03:20 AM

hello

 

Win32/Filecoder is a crypto malware infection detected by ESET. According to their research lab, there are several different variants for which they add a modifier or additional information after the name that further describes what type of ransomware it is. Most of the Filecoder threat detections are more commonly identified as CryptoLocker, Cryptowall, and CTB locker.

Detailed description for the Win32/Filecoder.CR variant is not available.

Are there any file extensions appended to your files...such as .ecc, .ezz, .exx, .xyz, .CTBL, .CTB2, .XTBL, .encrypted, .vault, .HA3, .toxcrypt or 6-7 length extension consisting of random characters?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a random named .html, .txt, .png, .bmp, .url file.

These are some examples.
HELP_DECRYPT.TXT, HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG
HELP_TO_DECRYPT_YOUR_FILES.bmp, HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_RESTORE_FILES.txt
HELP_TO_SAVE_FILES.txt, HELP_TO_SAVE_FILES.bmp, RECOVERY_KEY.txt
DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, DECRYPT_INSTRUCTION.URL
About_Files

 

Hello

Yes i found a ransom note ,HELP_DECRYPT.HTML, HELP_DECRYPT.URL, HELP_DECRYPT.PNG .

which Link to web page that ask my to pay 500$ then 1000$.

there aren't any file extensions was added to the files.

Thanks



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:36 AM

Posted 14 July 2015 - 05:00 AM

- CryptoWall 3.0 leaves files (ransom notes) named:
HELP_DECRYPT.TXT
HELP_DECRYPT.HTML
HELP_DECRYPT.URL
HELP_DECRYPT.PNG

A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0 & CryptoWall 3.0 is provided by Grinler (aka Lawrence Abrams), in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

There are also ongoing discussions in these topics:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in one of those topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users