I've been hacked

F

f4gib

Got the following message: Hello, your files are encrypted with
RSA-4096 algorithm
(http://en.wikipedia.org/wiki/RSA).

You will need at least few years to decrypt these files without our
software. All your private information for last 3 months were
collected and sent to us.

To decrypt your files you need to buy our software. The price is $300.

To buy our software please contact us at: tristanniglam@gmail.com and
provide us
your personal code -1481374230. After successful purchase we will send
your decrypting tool, and your private information will be deleted
from our system.

If you will not contact us until 07/15/2007 your private information
will be shared and you will lost all your data.

Glamorous team

I don't have access to WORD files, photos (JPEG), nor email (Outlook
Express). Is there anything I can do, except give in to this extortion?
 
D

David H. Lipman

From: "f4gib" <f4gib@discussions.microsoft.com>

| Got the following message: Hello, your files are encrypted with
| RSA-4096 algorithm
| (http://en.wikipedia.org/wiki/RSA).
|
| You will need at least few years to decrypt these files without our
| software. All your private information for last 3 months were
| collected and sent to us.
|
| To decrypt your files you need to buy our software. The price is $300.
|
| To buy our software please contact us at: tristanniglam@gmail.com and
| provide us
| your personal code -1481374230. After successful purchase we will send
| your decrypting tool, and your private information will be deleted
| from our system.
|
| If you will not contact us until 07/15/2007 your private information
| will be shared and you will lost all your data.
|
| Glamorous team
|
| I don't have access to WORD files, photos (JPEG), nor email (Outlook
| Express). Is there anything I can do, except give in to this extortion?

HOW did you get "the following message: Hello, your files are encrypted with
RSA-4096 algorithm".

You also said... "I don't have access to WORD files, photos (JPEG), nor email (Outlook
Express)"

Please describe what you mean by you don't have access.

Please be EXACT in your reply.

BTW: This might be a hoax or a case of cryptovirology but not necessarily that you have
been "hacked".

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 
M

Malke

f4gib wrote:
> Got the following message: Hello, your files are encrypted with
> RSA-4096 algorithm
> (http://en.wikipedia.org/wiki/RSA).
>
> You will need at least few years to decrypt these files without our
> software. All your private information for last 3 months were
> collected and sent to us.
>
> To decrypt your files you need to buy our software. The price is $300.
>
> To buy our software please contact us at: tristanniglam@gmail.com and
> provide us
> your personal code -1481374230. After successful purchase we will send
> your decrypting tool, and your private information will be deleted
> from our system.
>
> If you will not contact us until 07/15/2007 your private information
> will be shared and you will lost all your data.
>
> Glamorous team
>
> I don't have access to WORD files, photos (JPEG), nor email (Outlook
> Express). Is there anything I can do, except give in to this extortion?

You have not been hacked. You ran or opened something you shouldn't have
(and perhaps your antivirus program is not a current version with
updated definitions) and you got infected with one of the many Bagle
virus variants. The Bagle virus is a known vector for the type of
ransomware you then got.

Older versions of this ransomware (Trojan CryZip) contained the password
which was made to look like a file path name and is:

C:\Program Files\Microsoft Visual Studio\VC98

However, if that doesn't work you have a different variant. Here is an
article that explains what is happening very well:

http://www.secureworks.com/research/threats/cryzip/

Your computer is also probably infected with other stuff. In the
article, it is suggested that Elcomsoft may be able to help. I would
contact them:

http://www.elcomsoft.com/

Please read the article at SecureWorks through and then report the crime
to the Internet Crime Complaint Center if you are in the United States:

http://www.ic3.gov/

Certainly you should not cave into this extortion. If Elcomsoft can't
help, wipe your computer, clean-install Windows, restore files from backup.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
 
C

Christina C.

One of my users got attacked by this today as well. Searching high
and low online for someone else that received this threat I finally
found this post on newsgroups. I will be visiting that field office
tomorrow. I'll let you know how it goes.
 
M

Milo (MSPSS)

Ms. Christina please for further investigation to this concern since I
believe you still have the said system who contain this "prompts", please do
call Microsoft Security toll free 866 727 2338 US/CANADA - They sure would
like to see how it is and what it does and assist you in anyway they can.
--
Milo
MSPSS


"Christina C." wrote:

> One of my users got attacked by this today as well. Searching high
> and low online for someone else that received this threat I finally
> found this post on newsgroups. I will be visiting that field office
> tomorrow. I'll let you know how it goes.
>
>
 
F

f4gib

Dave,

The message appeared as a Read Me icon on my desktop. Upon opening, the
message appeared as one long line in a Notepad window. The same Read Me icon
appears in the items of My Documents. All the photo files have "JPEG"
instead of a picture. When I select a Word document, a Word window opens
with the warning "Word cannot open the existing (Normal)" and after okaying
that, this appears: "The document name or path is not valid. Try these
suggestions. *Check the file permissions for the document or drive. *Use the
File Open dialog box to locate the document. (C:\...\Admin\ATO routing
symbols.doc)." Okaying that gets this: "Microsoft Word has not been
installed for the current user. Please run setup to install the application."
For the email, at first I got a message indicating Outlook Express is not
supported. Now I get a message that Outlook Express is being reinstalled,
and all previous emails are lost.

I even tried restoring to a previous date, but that wasn't permitted.

Does this info help?

"David H. Lipman" wrote:

> From: "f4gib" <f4gib@discussions.microsoft.com>
>
> | Got the following message: Hello, your files are encrypted with
> | RSA-4096 algorithm
> | (http://en.wikipedia.org/wiki/RSA).
> |
> | You will need at least few years to decrypt these files without our
> | software. All your private information for last 3 months were
> | collected and sent to us.
> |
> | To decrypt your files you need to buy our software. The price is $300.
> |
> | To buy our software please contact us at: tristanniglam@gmail.com and
> | provide us
> | your personal code -1481374230. After successful purchase we will send
> | your decrypting tool, and your private information will be deleted
> | from our system.
> |
> | If you will not contact us until 07/15/2007 your private information
> | will be shared and you will lost all your data.
> |
> | Glamorous team
> |
> | I don't have access to WORD files, photos (JPEG), nor email (Outlook
> | Express). Is there anything I can do, except give in to this extortion?
>
> HOW did you get "the following message: Hello, your files are encrypted with
> RSA-4096 algorithm".
>
> You also said... "I don't have access to WORD files, photos (JPEG), nor email (Outlook
> Express)"
>
> Please describe what you mean by you don't have access.
>
> Please be EXACT in your reply.
>
> BTW: This might be a hoax or a case of cryptovirology but not necessarily that you have
> been "hacked".
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
 
C

Christina C.

On Jul 11, 11:36 pm, Milo (MSPSS) <v-4jp...@mssupport.microsoft.com>
wrote:
> Ms. Christina please for further investigation to this concern since I
> believe you still have the said system who contain this "prompts", please do
> call Microsoft Security toll free 866 727 2338 US/CANADA - They sure would
> like to see how it is and what it does and assist you in anyway they can.
> --
> Milo
> MSPSS
>
>
>

I'm calling now
 
C

Christina C.

On Jul 12, 2:59 pm, "Christina C." <lanikaib...@hotmail.com> wrote:
> On Jul 11, 11:36 pm, Milo (MSPSS) <v-4jp...@mssupport.microsoft.com>
> wrote:
>
> > Ms. Christina please for further investigation to this concern since I
> > believe you still have the said system who contain this "prompts", please do
> > call Microsoft Security toll free 866 727 2338 US/CANADA - They sure would
> > like to see how it is and what it does and assist you in anyway they can.
> > --
> > Milo
> > MSPSS
>
> I'm calling now

Well it's been an interesting process -- been on the phone with
Microsoft over 2 hours being passed around to different departments.
Five instances of this was reported to them already. They're unsure
how to clean it. I'll be working on it again tomorrow. My user's
documents are corrupt.
 
M

Malke

Christina C. wrote:
> On Jul 12, 2:59 pm, "Christina C." <lanikaib...@hotmail.com> wrote:
>> On Jul 11, 11:36 pm, Milo (MSPSS) <v-4jp...@mssupport.microsoft.com>
>> wrote:
>>
>>> Ms. Christina please for further investigation to this concern since I
>>> believe you still have the said system who contain this "prompts", please do
>>> call Microsoft Security toll free 866 727 2338 US/CANADA - They sure would
>>> like to see how it is and what it does and assist you in anyway they can.
>>> --
>>> Milo
>>> MSPSS
>> I'm calling now
>
> Well it's been an interesting process -- been on the phone with
> Microsoft over 2 hours being passed around to different departments.
> Five instances of this was reported to them already. They're unsure
> how to clean it. I'll be working on it again tomorrow. My user's
> documents are corrupt.
>

Didn't you read my answer to the Original Poster? It's pitiful that MS
Security hasn't heard of this trojan - it's been around since at least
2006. Read my answer and contact Elcomsoft.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
 
D

David H. Lipman

From: "Malke" <notreally@invalid.invalid>


| Didn't you read my answer to the Original Poster? It's pitiful that MS
| Security hasn't heard of this trojan - it's been around since at least
| 2006. Read my answer and contact Elcomsoft.
|
| Malke

Malke:

Are you sure this is the SAME cryptographic trojan using a password as (or is)
"C:\Program Files\Microsoft Visual Studio\VC98" ?

I think this is a new variant or copy-cat.

{ Personally, I am having a "bad" day and I'm not sure of anything Today :-( }


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 
M

Malke

David H. Lipman wrote:
> From: "Malke" <notreally@invalid.invalid>
>
>
> | Didn't you read my answer to the Original Poster? It's pitiful that MS
> | Security hasn't heard of this trojan - it's been around since at least
> | 2006. Read my answer and contact Elcomsoft.
> |
> | Malke
>
> Malke:
>
> Are you sure this is the SAME cryptographic trojan using a password as (or is)
> "C:\Program Files\Microsoft Visual Studio\VC98" ?
>
> I think this is a new variant or copy-cat.
>
> { Personally, I am having a "bad" day and I'm not sure of anything Today :-( }
>
>

Hi, Dave - No, I'm not sure. That's why I wrote this in my post to the OP:

****
Older versions of this ransomware (Trojan CryZip) contained the password
which was made to look like a file path name and is:

C:\Program Files\Microsoft Visual Studio\VC98

However, if that doesn't work you have a different variant. Here is an
article that explains what is happening very well:
http://www.secureworks.com/research/threats/cryzip/
****

I'm sorry you're having a bad day email me or just take this virtual
hug. [ ]


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
 
D

David H. Lipman

From: "f4gib" <f4gib@discussions.microsoft.com>

| Dave,
|
| The message appeared as a Read Me icon on my desktop. Upon opening, the
| message appeared as one long line in a Notepad window. The same Read Me icon
| appears in the items of My Documents. All the photo files have "JPEG"
| instead of a picture. When I select a Word document, a Word window opens
| with the warning "Word cannot open the existing (Normal)" and after okaying
| that, this appears: "The document name or path is not valid. Try these
| suggestions. *Check the file permissions for the document or drive. *Use the
| File Open dialog box to locate the document. (C:\...\Admin\ATO routing
| symbols.doc)." Okaying that gets this: "Microsoft Word has not been
| installed for the current user. Please run setup to install the application."
| For the email, at first I got a message indicating Outlook Express is not
| supported. Now I get a message that Outlook Express is being reinstalled,
| and all previous emails are lost.
|
| I even tried restoring to a previous date, but that wasn't permitted.
|
| Does this info help?
|

Could you please send me samples ?

Look to see if the affected PC has the file NTOS.EXE on it and provide it any files that
were encrypted that do NOT have personal data in them.

Please send them to DLipman~nospam~@Verizon.Net just remove ~nospam~

Send the files in a password protected ZIP file with the password being infected
{ password = infected }

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 
C

Christina C.

Dave,

Will do (tomorrow) thank you so much. Needless to say it's been an
interesting day for myself as well. My user doesn't know that her
files are corrupted at this point. I got to our field office today
early enough for her to come in and see me deploy a newly imaged
machine to her.

I'm just hoping it's an isolated case and it doesn't spread.
 
D

David H. Lipman

From: "Christina C." <lanikaibabe@hotmail.com>

| Dave,
|
| Will do (tomorrow) thank you so much. Needless to say it's been an
| interesting day for myself as well. My user doesn't know that her
| files are corrupted at this point. I got to our field office today
| early enough for her to come in and see me deploy a newly imaged
| machine to her.
|
| I'm just hoping it's an isolated case and it doesn't spread.

A group of anti malware professionals are awaiting anything you can provide.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 
M

Milo (MSPSS)

If Microsoft Security can identify and isolate the root cause and instances
of return of infection it would help others who does have the same instace of
infection such as what you have in your office, am sorry to hear that you`ve
gone 2 hrs long troubleshooting for such matter. I do hope you have already
reached escalation this the second time you call

thanks,

--
Milo
MSPSS


"Christina C." wrote:

> On Jul 12, 2:59 pm, "Christina C." <lanikaib...@hotmail.com> wrote:
> > On Jul 11, 11:36 pm, Milo (MSPSS) <v-4jp...@mssupport.microsoft.com>
> > wrote:
> >
> > > Ms. Christina please for further investigation to this concern since I
> > > believe you still have the said system who contain this "prompts", please do
> > > call Microsoft Security toll free 866 727 2338 US/CANADA - They sure would
> > > like to see how it is and what it does and assist you in anyway they can.
> > > --
> > > Milo
> > > MSPSS
> >
> > I'm calling now
>
> Well it's been an interesting process -- been on the phone with
> Microsoft over 2 hours being passed around to different departments.
> Five instances of this was reported to them already. They're unsure
> how to clean it. I'll be working on it again tomorrow. My user's
> documents are corrupt.
>
>
 
C

Christina C.

Dave,

I ran a HiJack this log on the machine and indeed I did find NTOS.EXE
running. More to come.
 
P

PA Bear

David H. Lipman wrote:
> From: "f4gib" <f4gib@discussions.microsoft.com>
>> Got the following message: Hello, your files are encrypted
>> with
>> RSA-4096 algorithm
>> (http://en.wikipedia.org/wiki/RSA).
> < snip >
>
> This is a type of trojan that uses what is called Cryptovirology.
>
> Please stay tuned...

This should be good...
--
~PA Bear
 
You must log in or register to reply here.

Similar threads

K
Decrypting files from a rebooted computer?
Replies
0
Views
47
Kimberly HQ
K
A
Please I need help. All my files are encrypted.
Replies
0
Views
63
adam charrouki
A
A
My laptop virus attack and my all data encrypted how to decrypted data ATTENTION!
Replies
0
Views
99
Arshad Mehmood Abbasi
A
P
  • Article
New experiences coming to Copilot+ PCs and Windows 11
Replies
0
Views
40
Pavan Davuluri
P
D
  • Article
Update on Recall security and privacy architecture
Replies
0
Views
47
David Weston, Vice President Enterprise and OS
D
Back
Top Bottom