A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #12743  by Blaze
 Mon Apr 16, 2012 12:18 pm
Fabian, thanks for your reply, I can see the picture now ;-) .

Cheers !
 #13645  by Quads
 Sat Jun 02, 2012 8:52 pm
Is it a new variant??

It's warning

YOUR ID: 559 (ID number is unique)
Your computer protection level was very low and your system was attacked by
trojan program which encrypts data.

All your documents, text files, databases, pictures and etc. were encrypted by
secure AES algorithm with unique password.

Random password entry attempt is imposible, all the data will be damaged
after first unsuccessful attempt.

Programs that can restore data wont help you as original files will be destroyed
without a possibility to restore them.
It is useless to ask someone for help. Only we can decipher your data.


We will create a decipher program if you really need your files.COST IS $50.
We accept payments through MoneyPak. ( you can find more information on
their website www.moneypak.com).

Enter MoneyPak number with $50 value as well as your e-mail and click Pay.
You will receive decipher program which will help you to retrieve your files
and remove malware from your computer in 24 HOURS.)

We provide 100% guarantee that your data will be restored in 24 hours after
receiving payment from you.
receive a decipher. Such actions may make your data restoration impossible.
ATTENTION: In case if MoneyPak number and/or e-mail is invalid it will make
restoration process more complicated. PRODUCT COST WILL RISE TO $150.
EMAIL: decryptmeplease@yahoo.com


encrypts files with the extension .crypt I don't have a file.

Quads
 #13648  by Quads
 Sat Jun 02, 2012 9:16 pm
I am trying ti find the file, can't yet.

People are reporting a file named "setsyslog32.exe"

Quads
 #13649  by Fabian Wosar
 Sat Jun 02, 2012 9:37 pm
Found the sample based on the name you gave:

https://www.virustotal.com/file/6f252a0 ... 338672955/

It is definitively not ACCDFISA. Are you or someone you know affected by this particular malware? If that's the case I can give it a quick look and see what I can do :).
 #13652  by Fabian Wosar
 Sat Jun 02, 2012 11:12 pm
Okay, I took a quick look at it. Looks like the application uses AES and a randomly generated key to encrypt the files. The key is generated by the server and communicated through a simple unencrypted and text based protocol. The server is running at 176.9.221.155 port 64535 and a typical transaction looks something like this:
Code: Select all
Sent by the malware:
new

Reply from the server:
581:f6DC4Emmjjh0z
The number at the beginning is the ID displayed by the malware as your reference ID, the colon is used as a delimiter and the rest is the password used for the encryption. The malware will actually save both information within the registry where "id" is the displayed ID and "bdgid" is the password:
Code: Select all
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    bdgid       REG_SZ  f6DC4Emmjjh0z
    id          REG_SZ  581
So unless I overlooked something important (which is certainly a possibility as I haven't slept in over 40 hours) it should be possible to decrypt the files if the password wasn't deleted from the registry. I will contact the BleepingComputer user to see if he still needs assistance and if he does write a small decrypter. Since you do have an account over at the Symantec forums (and I am not sure they will like an employee from a competing company to post there) I would appreciate it if you could do the same with the affected Symantec customers. Ideally ask them for a registry export of the aforementioned registry key as well as one encrypted file (like one of the encrypted sample pictures shipped with Windows). But first I get some sleep :).
Last edited by Fabian Wosar on Sun Jun 03, 2012 2:23 am, edited 1 time in total.
 #13654  by Fabian Wosar
 Sun Jun 03, 2012 2:10 am
Well, I can't sleep anyways. So I may as well just write the decrypt tool now:

http://tmp.emsisoft.com/fw/decrypt_SetSysLog32.zip

The tool can be run in two ways:
  1. If you just start it, it will automatically search for and decrypt files on your Windows installation drive.
  2. If you start it with a parameter, you can search for and decrypt files in custom folders and drives (for example "decrypt.exe D:\" will decrypt all files on drive D:).
The tool will determine the decryption key automatically and perform validations that the files were decrypted correctly. Just in case though it will NOT delete the original .crypt files. If you see one of the following error message it means you most likely got hit by a new variant of the malware:
Code: Select all
Could not find decryption key. Maybe a new variant?
Code: Select all
An error occurred when trying to decrypt file <source file> to <destination file>!
The following error message though is normal and just indicates that the decrypted file could not be created as it is currently in use (like some LOG files for example):
Code: Select all
Exception occurred while processing file <source file>:
Class: EFCreateError - Exception: Cannot create file "<destination file>".
The process cannot access the file because it is being used by another process
Hope it is helpful to someone :).

PS: I tested it on Windows XP only. So it may crash on other OSes. If it does, please let me know and I will fix it. Please use it at your own risk.
 #13655  by Fabian Wosar
 Sun Jun 03, 2012 2:40 am
Oh, and I completely forgot to attach the malware sample in case someone else is interested in it. So please find the sample (original as well as unpacked) attached.
Attachments
Password: infected
(364.7 KiB) Downloaded 101 times
 #13656  by Quads
 Sun Jun 03, 2012 2:42 am
Thanks

Here is one of the users .exe, handful of crypt files, reg key screenshot and file.

the bad .exe is detected by virustotal different names No Trojan Encoder

See attached

Quads
Attachments
Password = infected
(515.24 KiB) Downloaded 98 times