Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ransomware nuisance.

  • Please log in to reply
1 reply to this topic

#1 Xdivermkv


  • Members
  • 21 posts
  • Local time:06:02 AM

Posted 28 September 2015 - 01:16 PM

Hi All


Can I start by singing the praises of BC advisor Didier Stevens on another topic here? I've been hit by a ransomware bug (Don't know which one yet - that's what I'm hoping to find out on this thread!) Dider has spent a lot of time on looking at some of my encripted files and has successfully recovered some. What a guy!


Basically, earlier in the month I discovered that a load of my JPG and MS office files had changed from standard file extensions to a format like this: CIMG1152.JPG.id-9737394708_help2015@mail

References.doc.id-9737394708_help2015@mail etc.


In retrospect we noticed all the files had the same number after the id part of the extension. That seems to be a clue for the ransomware. Needless to say, these cannot now be opened. Didier managed to find the header for the jpegs using a hex editor (I think) and re save them. This recovered these  - but the office docs are really encrypted.


We have been unable to find any ransom note - not that I'd pay it!


I scanned some files on virustotal.com and they came up with slightly longer filename like this Michael 21st2 005.jpg.id-9737394708_help2015@mail.bg Note the .BG extension missing from above. That made more sense as mail.BG is an eastern euro e mail outfit. Here's the virustotal scan url - https://www.virustotal.com/en-gb/file/7d7ec35f1861e6267bcdc147743fe705e996e75ac8cefe7436f26a514941dd5c/analysis/1443375190/


I run windows XP on this machine and I have McAfee on board and up to date, so don't know how the bug got in.


Question is - can anyone help me discover if my machine is still infected? McAfee scans all come up clear.


Hoping brighter people than me can help and maybe learn something from this!


Thanks, my friends!

BC AdBot (Login to Remove)


#2 RolandJS


  • Members
  • 4,552 posts
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:11:02 PM

Posted 28 September 2015 - 02:21 PM

Someone mentioned IDTool.exe, which I believe is from BC download section.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.


Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users