[Blaze]

Fabian, thanks for your reply, I can see the picture now .

Cheers !

[Quads]

Is it a new variant??

It's warning

YOUR ID: 559 (ID number is unique)
Your computer protection level was very low and your system was attacked by
trojan program which encrypts data.

All your documents, text files, databases, pictures and etc. were encrypted by
secure AES algorithm with unique password.

Random password entry attempt is imposible, all the data will be damaged
after first unsuccessful attempt.

Programs that can restore data wont help you as original files will be destroyed
without a possibility to restore them.
It is useless to ask someone for help. Only we can decipher your data.


We will create a decipher program if you really need your files.COST IS $50.
We accept payments through MoneyPak. ( you can find more information on
their website www.moneypak.com).

Enter MoneyPak number with $50 value as well as your e-mail and click Pay.
You will receive decipher program which will help you to retrieve your files
and remove malware from your computer in 24 HOURS.)

We provide 100% guarantee that your data will be restored in 24 hours after
receiving payment from you.
receive a decipher. Such actions may make your data restoration impossible.
ATTENTION: In case if MoneyPak number and/or e-mail is invalid it will make
restoration process more complicated. PRODUCT COST WILL RISE TO $150.
EMAIL: decryptmeplease@yahoo.com


encrypts files with the extension .crypt I don't have a file.

Quads

[Fabian Wosar]

No, it's not. If you can send me a sample though I will be glad to look into it.

[Quads]

I am trying ti find the file, can't yet.

People are reporting a file named "setsyslog32.exe"

Quads

[Fabian Wosar]

Found the sample based on the name you gave:

https://www.virustotal.com/file/6f252a0 ... 338672955/

It is definitively not ACCDFISA. Are you or someone you know affected by this particular malware? If that's the case I can give it a quick look and see what I can do :).

[Quads]

Trojan.Encoder 141

There is 2 users on the Norton forum, same thread

and better info on a Bleeping Computer thread http://www.bleepingcomputer.com/forums/topic455347.html

Quads

[Fabian Wosar]

Okay, I took a quick look at it. Looks like the application uses AES and a randomly generated key to encrypt the files. The key is generated by the server and communicated through a simple unencrypted and text based protocol. The server is running at 176.9.221.155 port 64535 and a typical transaction looks something like this:

Code: Select all

Sent by the malware:
new

Reply from the server:
581:f6DC4Emmjjh0z

The number at the beginning is the ID displayed by the malware as your reference ID, the colon is used as a delimiter and the rest is the password used for the encryption. The malware will actually save both information within the registry where "id" is the displayed ID and "bdgid" is the password:

Code: Select all

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    bdgid       REG_SZ  f6DC4Emmjjh0z
    id          REG_SZ  581

So unless I overlooked something important (which is certainly a possibility as I haven't slept in over 40 hours) it should be possible to decrypt the files if the password wasn't deleted from the registry. I will contact the BleepingComputer user to see if he still needs assistance and if he does write a small decrypter. Since you do have an account over at the Symantec forums (and I am not sure they will like an employee from a competing company to post there) I would appreciate it if you could do the same with the affected Symantec customers. Ideally ask them for a registry export of the aforementioned registry key as well as one encrypted file (like one of the encrypted sample pictures shipped with Windows). But first I get some sleep :).

[Fabian Wosar]

Well, I can't sleep anyways. So I may as well just write the decrypt tool now:

http://tmp.emsisoft.com/fw/decrypt_SetSysLog32.zip

The tool can be run in two ways:

1. If you just start it, it will automatically search for and decrypt files on your Windows installation drive.
2. If you start it with a parameter, you can search for and decrypt files in custom folders and drives (for example "decrypt.exe D:\" will decrypt all files on drive D:).

The tool will determine the decryption key automatically and perform validations that the files were decrypted correctly. Just in case though it will NOT delete the original .crypt files. If you see one of the following error message it means you most likely got hit by a new variant of the malware:

Code: Select all

Could not find decryption key. Maybe a new variant?

Code: Select all

An error occurred when trying to decrypt file <source file> to <destination file>!

The following error message though is normal and just indicates that the decrypted file could not be created as it is currently in use (like some LOG files for example):

Code: Select all

Exception occurred while processing file <source file>:
Class: EFCreateError - Exception: Cannot create file "<destination file>".
The process cannot access the file because it is being used by another process

Hope it is helpful to someone :).

PS: I tested it on Windows XP only. So it may crash on other OSes. If it does, please let me know and I will fix it. Please use it at your own risk.

[Fabian Wosar]

Oh, and I completely forgot to attach the malware sample in case someone else is interested in it. So please find the sample (original as well as unpacked) attached.

[Quads]

Thanks

Here is one of the users .exe, handful of crypt files, reg key screenshot and file.

the bad .exe is detected by virustotal different names No Trojan Encoder

See attached

Quads