Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible PowerWorm variant (that actually decrypts) ?

  • This topic is locked This topic is locked
1 reply to this topic

#1 GNull


  • Members
  • 1 posts
  • Local time:06:58 PM

Posted 24 December 2015 - 02:56 PM



I am assisting a client that was hit with what seems to be PowerWorm variant that is actually able to be decrypted, and I could use some help with the PS1 sent back after payment was sent. But first the back story:


 This client was referred to me after users complained files on the network drive started giving file corrupt errors, and the folders had DECRYPT_INSTRUCTION.HTML in them. The major bullet points are:


-No PC's on site showed any visible signs of infection when I arrived.

-Shared drive was not fully encrypted, no explanation for why it missed some files.

-Identified source user/PC by NTFS owner of DECRYPT_INSTRUCTION.HTML files

-Source user had opened a resume word doc, which failed to open with a warning of some sort, after releasing it from Barracuda.

-Shadow Copies were not configured on the data drive of server, and the pre-infection backups are not an option for recovery.

-Symantec found and removed Trojan.Cryptolocker on source PC.

-One encrypted file was uploaded and decrypted successfully by attacker (proof of life).

-Ransom was $500 in bitcoin for ~10 days, which was paid, and a powershell script was sent back via sendspace.


As I mentioned, the entire drive was not encrypted. Rather than run a suspect script on the live data I setup a Win7 VM, copied a few folders of both encrypted and non-encrypted data and set the script loose on that (without admin privileges). The files that were encrypted were unencrypted and open normally (jpgs), the un-touched, previously working files are now corrupt. The Win 7 sample pics were also corrupted, so the script assumes all matching files were encrypted.


When I ran "dir DECRYPT_INSTRUCTION.HTML /a /s" there were 18,096 found on the server, so there are that many directories that need cleaning, but I can't run the current script without it ruining the good files. 


My powershell experience is limited, so i am hoping there is someone who can assist with either modifying the script to examine files and only decrypt if needed (seems less likely), or at least allowing a subfolder to be specified.


Thank you for reading this and for any help you can provide.

(First post, so if I've missed something or anything further is needed please let me know.)




$739492774 = "QypfnxkCaVJHjErcsAGZN7K9IhR1W2UvTewDgldzOF4035YMPm"
$19387474823 = [Text.Encoding]::UTF8.GetBytes("S0fab4EuYBNqMF6tOiTg")
$838472783 = new-Object System.Security.Cryptography.RijndaelManaged
$838472783.Key = (new-Object Security.Cryptography.Rfc2898DeriveBytes $739492774, $19387474823, 5).GetBytes(32)
$838472783.IV = (new-Object Security.Cryptography.SHA1Managed).ComputeHash([Text.Encoding]::UTF8.GetBytes("alle") )[0..15]
$7382984778=gdr|where {$_.Free}|Sort-Object -Descending
foreach($263772627 in $7382984778){
	gci $263772627.root -Recurse -Include "*.pdf","*.xls","*.docx","*.xlsx","*.mp3","*.waw","*.jpg","*.jpeg","*.txt","*.rtf","*.doc","*.rar","*.zip","*.psd","*.tif","*.wma","*.gif","*.bmp","*.ppt","*.pptx","*.docm","*.xlsm","*.pps","*.ppsx","*.ppd","*.eps","*.png","*.ace","*.djvu","*.tar","*.cdr","*.max","*.wmv","*.avi","*.wav","*.mp4","*.pdd","*.php","*.aac","*.ac3","*.amf","*.amr","*.dwg","*.dxf","*.accdb","*.mod","*.tax2013","*.tax2014","*.oga","*.ogg","*.pbf","*.ra","*.raw","*.saf","*.val","*.wave","*.wow","*.wpk","*.3g2","*.3gp","*.3gp2","*.3mm","*.amx","*.avs","*.bik","*.dir","*.divx","*.dvx","*.evo","*.flv","*.qtq","*.tch","*.rts","*.rum","*.rv","*.scn","*.srt","*.stx","*.svi","*.swf","*.trp","*.vdo","*.wm","*.wmd","*.wmmp","*.wmx","*.wvx","*.xvid","*.3d","*.3d4","*.3df8","*.pbs","*.adi","*.ais","*.amu","*.arr","*.bmc","*.bmf","*.cag","*.cam","*.dng","*.ink","*.jif","*.jiff","*.jpc","*.jpf","*.jpw","*.mag","*.mic","*.mip","*.msp","*.nav","*.ncd","*.odc","*.odi","*.opf","*.qif","*.xwd","*.abw","*.act","*.adt","*.aim","*.ans","*.asc","*.ase","*.bdp","*.bdr","*.bib","*.boc","*.crd","*.diz","*.dot","*.dotm","*.dotx","*.dvi","*.dxe","*.mlx","*.err","*.euc","*.faq","*.fdr","*.fds","*.gthr","*.idx","*.kwd","*.lp2","*.ltr","*.man","*.mbox","*.msg","*.nfo","*.now","*.odm","*.oft","*.pwi","*.rng","*.rtx","*.run","*.ssa","*.text","*.unx","*.wbk","*.wsh","*.7z","*.arc","*.ari","*.arj","*.car","*.cbr","*.cbz","*.gz","*.gzig","*.jgz","*.pak","*.pcv","*.puz","*.r00","*.r01","*.r02","*.r03","*.rev","*.sdn","*.sen","*.sfs","*.sfx","*.sh","*.shar","*.shr","*.sqx","*.tbz2","*.tg","*.tlz","*.vsi","*.wad","*.war","*.xpi","*.z02","*.z04","*.zap","*.zipx","*.zoo","*.ipa","*.isu","*.jar","*.js","*.udf","*.adr","*.ap","*.aro","*.asa","*.ascx","*.ashx","*.asmx","*.asp","*.indd","*.asr","*.qbb","*.bml","*.cer","*.cms","*.crt","*.dap","*.htm","*.moz","*.svr","*.url","*.wdgt","*.abk","*.bic","*.big","*.blp","*.bsp","*.cgf","*.chk","*.col","*.cty","*.dem","*.elf","*.ff","*.gam","*.grf","*.h3m","*.h4r","*.iwd","*.ldb","*.lgp","*.lvl","*.map","*.md3","*.mdl","*.mm6","*.mm7","*.mm8","*.nds","*.pbp","*.ppf","*.pwf","*.pxp","*.sad","*.sav","*.scm","*.scx","*.sdt","*.spr","*.sud","*.uax","*.umx","*.unr","*.uop","*.usa","*.usx","*.ut2","*.ut3","*.utc","*.utx","*.uvx","*.uxx","*.vmf","*.vtf","*.w3g","*.w3x","*.wtd","*.wtf","*.ccd","*.cd","*.cso","*.disk","*.dmg","*.dvd","*.fcd","*.flp","*.img","*.iso","*.isz","*.md0","*.md1","*.md2","*.mdf","*.mds","*.nrg","*.nri","*.vcd","*.vhd","*.snp","*.bkf","*.ade","*.adpb","*.dic","*.cch","*.ctt","*.dal","*.ddc","*.ddcx","*.dex","*.dif","*.dii","*.itdb","*.itl","*.kmz","*.lcd","*.lcf","*.mbx","*.mdn","*.odf","*.odp","*.ods","*.pab","*.pkb","*.pkh","*.pot","*.potx","*.pptm","*.psa","*.qdf","*.qel","*.rgn","*.rrt","*.rsw","*.rte","*.sdb","*.sdc","*.sds","*.sql","*.stt","*.t01","*.t03","*.t05","*.tcx","*.thmx","*.txd","*.txf","*.upoi","*.vmt","*.wks","*.wmdb","*.xl","*.xlc","*.xlr","*.xlsb","*.xltx","*.ltm","*.xlwx","*.mcd","*.cap","*.cc","*.cod","*.cp","*.cpp","*.cs","*.csi","*.dcp","*.dcu","*.dev","*.dob","*.dox","*.dpk","*.dpl","*.dpr","*.dsk","*.dsp","*.eql","*.ex","*.f90","*.fla","*.for","*.fpp","*.jav","*.java","*.lbi","*.owl","*.pl","*.plc","*.pli","*.pm","*.res","*.rsrc","*.so","*.swd","*.tpu","*.tpx","*.tu","*.tur","*.vc","*.yab","*.8ba","*.8bc","*.8be","*.8bf","*.8bi8","*.bi8","*.8bl","*.8bs","*.8bx","*.8by","*.8li","*.aip","*.amxx","*.ape","*.api","*.mxp","*.oxt","*.qpx","*.qtr","*.xla","*.xlam","*.xll","*.xlv","*.xpt","*.cfg","*.cwf","*.dbb","*.slt","*.bp2","*.bp3","*.bpl","*.clr","*.dbx","*.jc","*.potm","*.ppsm","*.prc","*.prt","*.shw","*.std","*.ver","*.wpl","*.xlm","*.yps","*.md3","*.1cd"|%{
			$7294877238 = New-Object System.IO.BinaryReader([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
			if ($7294877238.BaseStream.Length -lt 2048){return}
                        $7857348728 = 2048
                        $6458274672 = $7294877238.ReadBytes($7857348728)
			$548297563785 = $838472783.CreateDecryptor()
			$47373823837537 = new-Object IO.MemoryStream
			$658273648734 = new-Object Security.Cryptography.CryptoStream $47373823837537,$548297563785,"Write"
			$658273648734.Write($6458274672, 0,$6458274672.Length)
			$83865637482 = $47373823837537.ToArray()
			$538853723428 = New-Object System.IO.BinaryWriter([System.IO.File]::Open($_, [System.IO.FileMode]::Open, [System.IO.FileAccess]::ReadWrite, [System.IO.FileShare]::Read),[System.Text.Encoding]::ASCII)
            $57273472723473 = $_.Directory.ToString() + '\DECRYPT_INSTRUCTION.html'
			ri $57273472723473 -Force

BC AdBot (Login to Remove)



#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 50,739 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:58 PM

Posted 24 December 2015 - 03:51 PM

Welcome to Bleeping Computer.

Sorry to hear about your problem

There are several variants of Cryptowall. The original CryptoWall leaves files (ransom notes) named DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, and DECRYPT_INSTRUCTION.URL.

A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0, CryptoWall 3.0 & CryptoWall 4.0 is provided by Grinler (aka Lawrence Abrams), in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Unfortunately at this time there is no fix tool and decryption of CryptoWall files...is impossible since there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. For a more detailed explanation, read this reply by Nathan (DecrypterFixer). The only other alternative is to save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a possible solution so save the encrypted data and wait until that time.

There is an ongoing discussions in this topic where you can ask questions and seek further assistance.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users