Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Decode jpg in case of virus(?)


  • Please log in to reply
10 replies to this topic

#1 namt

namt

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Russia
  • Local time:12:03 PM

Posted 21 January 2016 - 08:12 PM

Hello, everybody. I've think that i got the virus, but i can not really understand what is exactly virus .-.
I just found it yesterday - that my old images have become decode. Not in crypt like Tesla or so,anything that i could find in internet. Only in this way -> _MG_1896.JPG.f9fe05a4 (it had been before img_1896.jpg). 
At first, of course, i check the system on virus by Malwarebytes Anti-Malware, Dr.Web and Eset. (Dr.Web and Eset not to find something, but Malwarebytes delete a lot .-. )
Looked on forum of Eset and tried to find way of decode(script) but didn't find anything.
After that tried to use ShadowExplorer, but it doesn't help.
There is something information about this virus? And could what i do?
Thank you and sorry if choose not right topic.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:03 AM

Posted 21 January 2016 - 09:02 PM

Do you see any ransom notes? Can you give a link to a sample of the encrypted data?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 AM

Posted 21 January 2016 - 10:16 PM

Do all the encrypted files have the same .f9fe05a4 extension?

These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:
HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, RECOVERY_KEY.txt
HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT, How_To_Recover_Files.txt, YOUR_FILES.url
YOUR_FILES.HTML, encryptor_raas_readme_liesmich.txt, help_decrypt_your_files.html, About_Files.txt
DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, _secret_code.txt 
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, SECRETIDHERE.KEY
IHAVEYOURSECRET.KEY, SECRET.KEY, Help_Decrypt.txt, HELP_DECYPRT_YOUR_FILES.HTML, DecryptAllFiles_.txt
HELP_TO_SAVE_FILES.txt, RECOVERY_FILES.txt, RECOVERY_FILE.TXT, RECOVERY_FILE_[random].txt
Howto_RESTORE_FILES_.txt, Howto_Restore_FILES.txt, howto_recover_file_.txt, restore_files_.txt, 
how_recover+[random].txt, _how_recover_.txt, recover_file_[random].txt, DecryptAllFiles_.txt

Note: The [random] represents random characters which some ransom notes names may include.
FWIW...Any files that are encrypted with the newest variants of CTB Locker (aka Critroni) will have a 6-7 length extension consisting of random characters such as .uogltic, .rtrsxox, .phszfud, etc. This extension is believed to be generated as a result of some type of algorithm involved at the time of the initial infection. CTB Locker will leave files (ransom notes) with names like DecryptAllFiles.txt and DecryptAllFiles_<user name>.txt that contains ransom instructions but the newer variants do not always leave a ransom note if the malware fails to change the background, like it generally does. An AllFilesAreLocked_<user name>.bmp image file may be left in the My Documents folder which contains further instructions on how to pay the ransom.

However, I have not seen any reports with the _MG_ so this may be something new.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 namt

namt
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Russia
  • Local time:12:03 PM

Posted 22 January 2016 - 04:21 AM

I didn't find by myself any notes, i just remember that after check of antivirus - have been deleted a few notes in way as quietman7 says, but it named on russian as: "ВНИМАНИЕ_ОТКРОЙТЕ-МЕНЯ.txt".
And one important note - i recently, maybe 2 week ago reset Windows with saved one disk. And i think that maybe caught this before reset of Windows. So, at reality i didn't have any random notes. Just found that not all .jpg, .txt and .pdf have been encrypted, but a lot of.
 

Yes, all encrypted files have the same .f9fe05a4 extension.

Link to a sample of the encrypted data: sample



#5 namt

namt
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Russia
  • Local time:12:03 PM

Posted 22 January 2016 - 04:53 AM

I got recently a message in forum of eset.nod write about this problem to email
I wrote and gave some sample file in .rar and this guy give me recovery of encrypted files. So now i have back all files. 
I think i couldn't give the program that he gave to me - it's program that he is writes by himself to .f9fe05a4 extensions, so i just left the e-mail of this guy - if somebody will have the same problem.

Thanks all.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 AM

Posted 22 January 2016 - 07:42 AM

Russian "ВНИМАНИЕ_ОТКРОЙТЕ-МЕНЯ.txt" translates to WARNING OPEN-MENYa.txt so this may be something new.

If you have any left, samples of encrypted files, the ransom note or any suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:03 AM

Posted 22 January 2016 - 09:23 AM

 

I got recently a message in forum of eset.nod write about this problem to email
I wrote and gave some sample file in .rar and this guy give me recovery of encrypted files. So now i have back all files. 
I think i couldn't give the program that he gave to me - it's program that he is writes by himself to .f9fe05a4 extensions, so i just left the e-mail of this guy - if somebody will have the same problem.

Thanks all.

 

 

Did he give you any information about what the ransomware was that he wrote the tool for or what it was called?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 namt

namt
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Russia
  • Local time:12:03 PM

Posted 22 January 2016 - 12:42 PM

Russian "ВНИМАНИЕ_ОТКРОЙТЕ-МЕНЯ.txt" translates to WARNING OPEN-MENYa.txt so this may be something new.

If you have any left, samples of encrypted files, the ransom note or any suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.

From Russian it's translates more exactly: 'ATTENSION_OPEN_ME.txt'.
Yes, i have one and present that file into your link.

 

 

 

 

I got recently a message in forum of eset.nod write about this problem to email
I wrote and gave some sample file in .rar and this guy give me recovery of encrypted files. So now i have back all files. 
I think i couldn't give the program that he gave to me - it's program that he is writes by himself to .f9fe05a4 extensions, so i just left the e-mail of this guy - if somebody will have the same problem.

Thanks all.

 

 

Did he give you any information about what the ransomware was that he wrote the tool for or what it was called?

 

No, he didn't. I told him all that i told you before. After this he asked the example file - decode it and then sent the tool. After exhibit to tool the way to broken file  - tool check all files format .f9fe05a4 on windows and replaced them to original.
I contacted with him from russian topic "File Encryption and selection decoders" - here is not tells what the exactly virus was. Only description about Filecoder, breaking_bad, Vault and search the decoders.


#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:03 AM

Posted 22 January 2016 - 12:51 PM

Hmm, wonder if it is the Filecoder ransomware. Description sounds like it matches, yet it could be a different variant or iteration of it. Very interesting if he has decrypted that one, since there seems to be little information around here about it.

 

Quoting quietman7 from another topic:
 

Win32/Filecoder is a crypto malware infection detected by ESET. According to their research lab, there are several different variants for which they add a modifier or additional information after the name that further describes what type of ransomware it is. Most of the Filecoder threat detections are more commonly identified as CryptoLocker, Cryptowall, and CTB locker.

Detailed description for the Win32/Filecoder.E variant includes a HOW_TO_DECRYPT_FILES.txt.
Detailed description for the Win32/Filecoder.Q variant includes a HOW_TO_DECRYPT_FILES.txt.

Detailed description for the Win32/Filecoder.CR variant is not available.

 

Could you post a link to the topic? Probably in Russian I take it, but I'll trust Google Translate a bit. :P


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 namt

namt
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Russia
  • Local time:12:03 PM

Posted 22 January 2016 - 01:04 PM

Maybe it can be Filecoder ransomware, maybe not  :unsure: 

Of course - topic

If you have something question about translate - i could help, just write to me the personal message.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 AM

Posted 22 January 2016 - 01:44 PM

Google translate is what I used for 'ВНИМАНИЕ_ОТКРОЙТЕ-МЕНЯ.txt' and it translated to 'WARNING OPEN-MENYa.txt' not 'ATTENSION_OPEN_ME.txt so the translations are not always accurate. That could make a difference with investigating this infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users