Guest David H. Lipman Posted July 17, 2007 Posted July 17, 2007 From: "Christina C." <lanikaibabe@hotmail.com> | -- Dave I let that run overnight on the harddrive that's still | attached as a USB drive. We'll see what happens. | | Also, just in case Jacques doesn't want to change to tool to search | additional drives I had a :duh: moment I could copy the user's | documents that are encrypted to the laptop's harddrive I am using and | let the tool run on that. | | Thanks again, I may just make someone very happy if I recover her | documents. That'll teach her for not having a backup. | | Did Jacques or anyone discover how one may have gotten this? An | infected website? In a bad download? Backdoor? Jacques indicated he would alter the tool. No one has mentioned what the infection vector is or what they think it may be. They do state that this is an older Password Stealing Trojan that was just recently updated to use Cryptovirology as its payload. Therefore it is a copycat of the previously mentioned CryptZIP Trojan. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Quote
Guest David H. Lipman Posted July 17, 2007 Posted July 17, 2007 From: "Christina C." <lanikaibabe@hotmail.com> : -- Dave I let that run overnight on the harddrive that's still | attached as a USB drive. We'll see what happens. | Also, just in case Jacques doesn't want to change to tool to search | additional drives I had a :duh: moment I could copy the user's | documents that are encrypted to the laptop's harddrive I am using and | let the tool run on that. | Thanks again, I may just make someone very happy if I recover her | documents. That'll teach her for not having a backup. | Did Jacques or anyone discover how one may have gotten this? An | infected website? In a bad download? Backdoor? From Jacques: "** its up - http://www.prevxresearch.com/unransomme.exe Now iterates all hard disks and displays progress" -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Quote
Guest Christina C. Posted July 17, 2007 Posted July 17, 2007 Thank you once again to Dave and Jacques! I will try this today when I get to work. You guys are the best! Quote
Guest Juergen Nieveler Posted July 17, 2007 Posted July 17, 2007 "Christina C." <lanikaibabe@hotmail.com> wrote: > That'll teach her for not having a backup. Hopefully it will also teach her not to click on strange executables -) Juergen Nieveler -- The one time you skip the firing circuit test is when you have the misfire. Quote
Guest PA Bear Posted July 17, 2007 Posted July 17, 2007 David H. Lipman wrote: > From: "Christina C." <lanikaibabe@hotmail.com> >> Good morning all.... > >> Look at this blog I found online about this type of ransonware: > >> http://www.prevx.com/blog.asp > > I know Jacques :- ) > > http://www.prevxresearch.com/unransomme.exe cf. http://aumha.net/viewtopic.php?t=28118 and http://aumha.net/viewtopic.php?t=28050 -- ~Robear Dyer (PA Bear) MS MVP-Windows (IE, OE, Security, Shell/User) AumHa VSOP & Admin DTS-L.org Quote
Guest Christina C. Posted July 17, 2007 Posted July 17, 2007 Seems like the files decrypted -- but they're still unreadable. Quote
Guest David H. Lipman Posted July 17, 2007 Posted July 17, 2007 From: "Juergen Nieveler" <juergen.nieveler.nospam@arcor.de> | | Hopefully it will also teach her not to click on strange executables -) | | Juergen Nieveler It seems this was a spear-phishing type attack. Those specifically looking for jobs were affected. I have seen job phishing thanx to my account on Monster. The objective get personal data by misrepresentation of a possible job. This is a NEW twist. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Quote
Guest f4gib Posted July 17, 2007 Posted July 17, 2007 For possible verification, I was contacted by Monster to update my resume, which I did on 7/6/07. It looked official to me. "David H. Lipman" wrote: > From: "Juergen Nieveler" <juergen.nieveler.nospam@arcor.de> > > > | > | Hopefully it will also teach her not to click on strange executables -) > | > | Juergen Nieveler > > It seems this was a spear-phishing type attack. Those specifically looking for jobs were > affected. > > > I have seen job phishing thanx to my account on Monster. The objective get personal data > by misrepresentation of a possible job. > > This is a NEW twist. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > http://www.ik-cs.com/got-a-virus.htm > > > Quote
Guest David H. Lipman Posted July 18, 2007 Posted July 18, 2007 From: "f4gib" <f4gib@discussions.microsoft.com> | For possible verification, I was contacted by Monster to update my resume, | which I did on 7/6/07. It looked official to me. | I hope you got my email. Do you still have that email ? I'd like to see the Full Headers and Body (personal information obfuscated) of the email to see if it was "official" and "legit". -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Quote
Guest James Matthews Posted July 20, 2007 Posted July 20, 2007 This is common behavior of some Trojans! If it's new I feel bad for you don't worry the antivirus companies reverse these files fast and give you the password! It's a really mean thing to do something like this! -- http://www.goldwatches.com/watches.asp?Brand=14 "f4gib" <f4gib@discussions.microsoft.com> wrote in message news:429CE0B8-C3DC-4C77-BC92-A893F1A65957@microsoft.com... > Got the following message: Hello, your files are encrypted > with > RSA-4096 algorithm > (http://en.wikipedia.org/wiki/RSA). > > You will need at least few years to decrypt these files without our > software. All your private information for last 3 months were > collected and sent to us. > > To decrypt your files you need to buy our software. The price is $300. > > To buy our software please contact us at: tristanniglam@gmail.com and > provide us > your personal code -1481374230. After successful purchase we will send > your decrypting tool, and your private information will be deleted > from our system. > > If you will not contact us until 07/15/2007 your private information > will be shared and you will lost all your data. > > Glamorous team > > I don't have access to WORD files, photos (JPEG), nor email (Outlook > Express). Is there anything I can do, except give in to this extortion? Quote
Guest David H. Lipman Posted July 20, 2007 Posted July 20, 2007 From: "James Matthews" <jamesmatt18@gmail.com> | This is common behavior of some Trojans! If it's new I feel bad for you | don't worry the antivirus companies reverse these files fast and give you | the password! It's a really mean thing to do something like this! This is NOT common. There are only a handful of Trojans using Cryptovirology as a payload. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Quote
Guest Megon Posted July 20, 2007 Posted July 20, 2007 This is another explaination about how to get rid of the problem caused by Gpcode trojan. http://www.viruslist.com/en/viruses/encyclopedia?virusid=164339 -- Megon ------------------------------------------------------------------------ Megon's Profile: http://forums.techarena.in/member.php?userid=28282 View this thread: http://forums.techarena.in/showthread.php?t=781898 http://forums.techarena.in Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.