Jump to content

FireEye Malware

Intelligence Lab

Threat research, analysis, and mitigation

« Previous Post | Main | Next Post »

Ransom - Pay me more!

Continuing the legacy of GPcode and FileFixer , a new file encoder trojan (5f9927ee59b4881a2ce8634332f63fa8) is on the loose. Upon execution, this malware looks for user's data files (ending with .jpg, .zip, .doc , and .text etc) on the system drives and encrypts them.

For example a user's file having name 'mic.jpg' will be replaced by 'mic.jpg.vscrypt'. After finishing encrypting user data files this malware will change desktop image with its own version and simply quit after restarting the user's machine. It doesn't attempt to install itself on the user's system permanently.

Here is a sample encrypted Download Sunset.jpg file. The message which is left behind for victim on desktop looks like this:


Shantazh

I was not able to understand this message (is there any reader who could translate it for us?) but there are some lines that give some clue to non-native speakers , like the smiley on line 2 ::). The email address along with the ICQ number, based on my best guess, will  be used for collecting the ransom. On the last line 'Trojan encoder' is mentioned, which seems to be the malware name given by the ransomware author himself.

Fortunately Dr.Web has developed a tool which could be used to restore back the user's file. One may find it here:

ftp://ftp.drweb.com/pub/drweb/tools/te37decrypt.exe

Thanks to one of our blog reader 'Damir'  who was able to search this tool on the web and shared it with us.

---------

Update: Thanks to one of our blog reader who spent some time to translate this russian text for us. Here is the translation:

Hello I'm a Trojan Encoder, or to be more exact, one of its variants::)

My author goes by the handle CORRECTOR and he's happy to offer you decryption for those files that I had time to encrypt on your computer for the economical sum of $10 or about 350 Rubles here is how to contact my author:

Mail: otrazhenie_zla@mail.ru icq 481095

oh by the way almost forgot don't erase the files with the extension vscrypt if you delete them getting your information back will be impossible

Good luck sincerely your Trojan encoder and CORRECTOR.
=======================

where

That email address itself translates to "reflection of evil" @mail.ru

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM

Account Deleted on 2009.06.03 Botnet Research

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835018afd53ef01156fc4f4b2970c

Listed below are links to weblogs that reference Ransom - Pay me more!:

Recent Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

  • dear fireeye members, please help me how to use this te37decrypt tool. ?

    mehmet erkaleli on Ransom - Pay me more!

  • dear sir/maam,
    the tool can decrypt but cannot copy the decrypted file, why ?
    best regards.

    mehmet erkaleli on Ransom - Pay me more!

  • Here's the translation (the lack of punctuation as in the original):

    Hi I'm Trojan encoder or rather one of its variants ::) my author is the man nicknamed CORRECTOR and he'll gladly sell you the decryptor for the files which I managed to encrypt on your computer for the modest sum of $10 which is about 35 roubles here are the contacts:

    ....

    oh yes almost forgot - don't delete the files with vscrypt extension if you do this it will be impossible to recover the encrypted information

    Good luck yours sincerely Trojan encoder and CORRECTOR

    figvam on Ransom - Pay me more!

The comments to this entry are closed.