I've been hacked

[Christina C.]

I've been communicating with Dave via email...

yes, I was just about to use Recovery Console however our
administrator password is quite strong with one ascii character. I
found an article online from Microsoft that says you cannot use ascii
characters in Recovery Concole (known bug?) http://support.microsoft.com/kb/304099

Oh well... at this point wanting to toss the machine out the
window... I woke up from a temporary lapse of better judgement and
took the SATA drive out of the machine and attached it to another
machine with a USB adapter I have.

I have full access to the harddrive.

I discovered one file and several directories with a date/time stamp
of 7/11/07 5:04pm -- that's the time of the infection!

I am emailing my discoveries along with ntos.exe to Dave.

KUDOS and many thanks to Dave and the team of Malware experts.

Let's get this bug!

-Christina in PA

 

[PA Bear]

And let's find out how it got there!
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin DTS-L.org

Christina C. wrote:
> I've been communicating with Dave via email...
>
> yes, I was just about to use Recovery Console however our
> administrator password is quite strong with one ascii character. I
> found an article online from Microsoft that says you cannot use ascii
> characters in Recovery Concole (known bug?)
> http://support.microsoft.com/kb/304099
>
> Oh well... at this point wanting to toss the machine out the
> window... I woke up from a temporary lapse of better judgement and
> took the SATA drive out of the machine and attached it to another
> machine with a USB adapter I have.
>
> I have full access to the harddrive.
>
> I discovered one file and several directories with a date/time stamp
> of 7/11/07 5:04pm -- that's the time of the infection!
>
> I am emailing my discoveries along with ntos.exe to Dave.
>
> KUDOS and many thanks to Dave and the team of Malware experts.
>
> Let's get this bug!
>
> -Christina in PA

 

[Christina C.]

Good morning all....

Look at this blog I found online about this type of ransonware:

http://www.prevx.com/blog.asp

 

[David H. Lipman]

From: "Christina C." <lanikaibabe@hotmail.com>

| Good morning all....

| Look at this blog I found online about this type of ransonware:

| http://www.prevx.com/blog.asp


I know Jacques :- )

http://www.prevxresearch.com/unransomme.exe

Dave


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[Christina C.]

-- Dave I let that run overnight on the harddrive that's still
attached as a USB drive. We'll see what happens.

Also, just in case Jacques doesn't want to change to tool to search
additional drives I had a :duh: moment I could copy the user's
documents that are encrypted to the laptop's harddrive I am using and
let the tool run on that.

Thanks again, I may just make someone very happy if I recover her
documents. That'll teach her for not having a backup.

Did Jacques or anyone discover how one may have gotten this? An
infected website? In a bad download? Backdoor?

 

[David H. Lipman]

From: "Christina C." <lanikaibabe@hotmail.com>

| -- Dave I let that run overnight on the harddrive that's still
| attached as a USB drive. We'll see what happens.
|
| Also, just in case Jacques doesn't want to change to tool to search
| additional drives I had a :duh: moment I could copy the user's
| documents that are encrypted to the laptop's harddrive I am using and
| let the tool run on that.
|
| Thanks again, I may just make someone very happy if I recover her
| documents. That'll teach her for not having a backup.
|
| Did Jacques or anyone discover how one may have gotten this? An
| infected website? In a bad download? Backdoor?

Jacques indicated he would alter the tool.

No one has mentioned what the infection vector is or what they think it may be.

They do state that this is an older Password Stealing Trojan that was just recently updated
to use Cryptovirology as its payload. Therefore it is a copycat of the previously
mentioned CryptZIP Trojan.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[David H. Lipman]

From: "Christina C." <lanikaibabe@hotmail.com>

: -- Dave I let that run overnight on the harddrive that's still
| attached as a USB drive. We'll see what happens.

| Also, just in case Jacques doesn't want to change to tool to search
| additional drives I had a :duh: moment I could copy the user's
| documents that are encrypted to the laptop's harddrive I am using and
| let the tool run on that.

| Thanks again, I may just make someone very happy if I recover her
| documents. That'll teach her for not having a backup.

| Did Jacques or anyone discover how one may have gotten this? An
| infected website? In a bad download? Backdoor?



From Jacques:

"** its up - http://www.prevxresearch.com/unransomme.exe
Now iterates all hard disks and displays progress"


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[Christina C.]

Thank you once again to Dave and Jacques! I will try this today when
I get to work.

You guys are the best!

 

[Juergen Nieveler]

"Christina C." <lanikaibabe@hotmail.com> wrote:

> That'll teach her for not having a backup.

Hopefully it will also teach her not to click on strange executables -)

Juergen Nieveler
--
The one time you skip the firing circuit test is when you have the
misfire.

 

[PA Bear]

David H. Lipman wrote:
> From: "Christina C." <lanikaibabe@hotmail.com>
>> Good morning all....
>
>> Look at this blog I found online about this type of ransonware:
>
>> http://www.prevx.com/blog.asp
>
> I know Jacques :- )
>
> http://www.prevxresearch.com/unransomme.exe

cf. http://aumha.net/viewtopic.php?t=28118 and
http://aumha.net/viewtopic.php?t=28050
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin DTS-L.org

 

[Christina C.]

Seems like the files decrypted -- but they're still unreadable.

 

[David H. Lipman]

From: "Juergen Nieveler" <juergen.nieveler.nospam@arcor.de>


|
| Hopefully it will also teach her not to click on strange executables -)
|
| Juergen Nieveler

It seems this was a spear-phishing type attack. Those specifically looking for jobs were
affected.


I have seen job phishing thanx to my account on Monster. The objective get personal data
by misrepresentation of a possible job.

This is a NEW twist.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[f4gib]

For possible verification, I was contacted by Monster to update my resume,
which I did on 7/6/07. It looked official to me.

"David H. Lipman" wrote:

> From: "Juergen Nieveler" <juergen.nieveler.nospam@arcor.de>
>
>
> |
> | Hopefully it will also teach her not to click on strange executables -)
> |
> | Juergen Nieveler
>
> It seems this was a spear-phishing type attack. Those specifically looking for jobs were
> affected.
>
>
> I have seen job phishing thanx to my account on Monster. The objective get personal data
> by misrepresentation of a possible job.
>
> This is a NEW twist.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

 

[David H. Lipman]

From: "f4gib" <f4gib@discussions.microsoft.com>

| For possible verification, I was contacted by Monster to update my resume,
| which I did on 7/6/07. It looked official to me.
|

I hope you got my email.

Do you still have that email ?
I'd like to see the Full Headers and Body (personal information obfuscated) of the email to
see if it was "official" and "legit".

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[James Matthews]

This is common behavior of some Trojans! If it's new I feel bad for you
don't worry the antivirus companies reverse these files fast and give you
the password! It's a really mean thing to do something like this!

--

http://www.goldwatches.com/watches.asp?Brand=14
"f4gib" <f4gib@discussions.microsoft.com> wrote in message
news:429CE0B8-C3DC-4C77-BC92-A893F1A65957@microsoft.com...
> Got the following message: Hello, your files are encrypted
> with
> RSA-4096 algorithm
> (http://en.wikipedia.org/wiki/RSA).
>
> You will need at least few years to decrypt these files without our
> software. All your private information for last 3 months were
> collected and sent to us.
>
> To decrypt your files you need to buy our software. The price is $300.
>
> To buy our software please contact us at: tristanniglam@gmail.com and
> provide us
> your personal code -1481374230. After successful purchase we will send
> your decrypting tool, and your private information will be deleted
> from our system.
>
> If you will not contact us until 07/15/2007 your private information
> will be shared and you will lost all your data.
>
> Glamorous team
>
> I don't have access to WORD files, photos (JPEG), nor email (Outlook
> Express). Is there anything I can do, except give in to this extortion?

 

[David H. Lipman]

From: "James Matthews" <jamesmatt18@gmail.com>

| This is common behavior of some Trojans! If it's new I feel bad for you
| don't worry the antivirus companies reverse these files fast and give you
| the password! It's a really mean thing to do something like this!


This is NOT common. There are only a handful of Trojans using Cryptovirology as a
payload.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[Megon]

This is another explaination about how to get rid of the problem caused
by Gpcode trojan.

http://www.viruslist.com/en/viruses/encyclopedia?virusid=164339


--
Megon
------------------------------------------------------------------------
Megon's Profile: http://forums.techarena.in/member.php?userid=28282
View this thread: http://forums.techarena.in/showthread.php?t=781898

http://forums.techarena.in