Continuing the legacy of GPcode and FileFixer , a new file encoder trojan (5f9927ee59b4881a2ce8634332f63fa8) is on the loose. Upon execution, this malware looks for user's data files (ending with .jpg, .zip, .doc , and .text etc) on the system drives and encrypts them.
For example a user's file having name 'mic.jpg' will be replaced by 'mic.jpg.vscrypt'. After finishing encrypting user data files this malware will change desktop image with its own version and simply quit after restarting the user's machine. It doesn't attempt to install itself on the user's system permanently.
Here is a sample encrypted Download Sunset.jpg file. The message which is left behind for victim on desktop looks like this:
I was not able to understand this message (is there any reader who could translate it for us?) but there are some lines that give some clue to non-native speakers , like the smiley on line 2 ::). The email address along with the ICQ number, based on my best guess, will be used for collecting the ransom. On the last line 'Trojan encoder' is mentioned, which seems to be the malware name given by the ransomware author himself.
Fortunately Dr.Web has developed a tool which could be used to restore back the user's file. One may find it here:
ftp://ftp.drweb.com/pub/drweb/tools/te37decrypt.exe
Thanks to one of our blog reader 'Damir' who was able to search this tool on the web and shared it with us.
---------
Update: Thanks to one of our blog reader who spent some time to translate this russian text for us. Here is the translation:
Hello I'm a Trojan Encoder, or to be more exact, one of its variants::)
My author goes by the handle CORRECTOR and he's happy to offer you decryption for those files that I had time to encrypt on your computer for the economical sum of $10 or about 350 Rubles here is how to contact my author:
Mail: otrazhenie_zla@mail.ru icq 481095
oh by the way almost forgot don't erase the files with the extension vscrypt if you delete them getting your information back will be impossible
Good luck sincerely your Trojan encoder and CORRECTOR.
=======================
where
That email address itself translates to "reflection of evil" @mail.ru
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM
dear fireeye members, please help me how to use this te37decrypt tool. ?
Posted by: mehmet erkaleli | 2009.06.07 at 09:33 AM
dear sir/maam,
the tool can decrypt but cannot copy the decrypted file, why ?
best regards.
Posted by: mehmet erkaleli | 2009.06.06 at 04:55 PM
Here's the translation (the lack of punctuation as in the original):
Hi I'm Trojan encoder or rather one of its variants ::) my author is the man nicknamed CORRECTOR and he'll gladly sell you the decryptor for the files which I managed to encrypt on your computer for the modest sum of $10 which is about 35 roubles here are the contacts:
....
oh yes almost forgot - don't delete the files with vscrypt extension if you do this it will be impossible to recover the encrypted information
Good luck yours sincerely Trojan encoder and CORRECTOR
Posted by: figvam | 2009.06.03 at 10:46 PM