deerejon Posted December 19, 2012 Member ID: 842 Group: *** Clan Members Followers: 62 Topic Count: 278 Topics Per Day: 0.05 Content Count: 3717 Content Per Day: 0.64 Reputation: 3154 Achievement Points: 28487 Solved Content: 0 Days Won: 4 Joined: 12/06/09 Status: Offline Last Seen: Monday at 05:34 PM Birthday: 05/04/1965 Device: Windows Posted December 19, 2012 Got thsi from friend who is IT guy.... --------------------------------- This is by far the WORST virus I’ve ever seen in the history of working on computers. So horrible that I had to email my friends/clients/family about it. Basically what it does is it AES 256bit encrypts all your files with .block or .police extension and forces the user to fork over money in hopes of getting their files unlocked. If you want to skip to the ending this users machine had to be completely wiped out and they lost all their data. See below the general question that came into IT Services today; Guys, Anyone ever seen a ".block" extension caused by a virus ? I tried multiple tools and restored all file extensions the files still won't work. After working with the users machine for over an hour my findings and conclusion is below; After much research I found that you need to enter %APPDATA% to get four files. The primary and most important files being Initia1Log.txt & Initia1Log.txt.block that hold the AES encryption key used to block all the files on the machine. The secondary and sometimes not used ok.txt and ok.txt.block. Thing is if you unknowingly run Combofix or TDSKiller it will flag these “highly necessary” files and delete them from the machine. If these file are nonexistent you CAN NOT decrypt your files. An alternate to recovering the file is a program called Piriform Recuva, freeware undeleted software, which I recommend we all add to our IT USB Sticks. After you have both files available you run a piece of software called decrypt_birele.exe in the same directory with Initia1Log.txt and Initia1Log.txt.block from command prompt. It will decrypt and produce a AES key used to be used with te94decrypt.exe –k 188. There are many variants of this particular virus one will have .police extension which te94decrypt.exe will use –k 186 instead of 188. The .block extension along with the AES 256 Key uses switch 188 when decrypting the files. Some important notes on this virus are; With this individual ticket it seems like the virus made its way in through a picture file that was labeled with the extension .jpg.exe The Initia1Log.txt is computer specific meaning one will not be the same as another. The Ok.txt.block is NOT enough to decrypt we need Initia1Log.txt Excellent documentation along with the Russian individual who created the decryption algorithm for Initia1Log.txt can be found below but needs to be transcoded to English. Decode with http://www.bing.com/translator - http://forum.kaspersky.com/index.php?showtopic=251126 Awards
Merlin007 Posted December 19, 2012 Member ID: 2068 Group: +++ COD5 Head Admin Followers: 72 Topic Count: 1162 Topics Per Day: 0.21 Content Count: 8644 Content Per Day: 1.60 Reputation: 7618 Achievement Points: 77301 Solved Content: 0 Days Won: 67 Joined: 12/25/10 Status: Online Last Seen: 13 minutes ago Birthday: 05/23/1973 Device: Windows Posted December 19, 2012 Well doesnt that one sound like a bitch. Thanks for the info. Awards
simplemod Posted December 19, 2012 Member ID: 623 Group: **- Inactive Registered Users Followers: 21 Topic Count: 62 Topics Per Day: 0.01 Content Count: 1072 Content Per Day: 0.18 Reputation: 417 Achievement Points: 7809 Solved Content: 0 Days Won: 1 Joined: 10/24/09 Status: Offline Last Seen: January 27, 2018 Birthday: 10/26/1982 Posted December 19, 2012 Thanks for the heads up.
tinmann Posted December 19, 2012 Member ID: 3821 Group: *** Clan Members Followers: 17 Topic Count: 8 Topics Per Day: 0.00 Content Count: 158 Content Per Day: 0.03 Reputation: 52 Achievement Points: 1050 Solved Content: 0 Days Won: 0 Joined: 10/20/12 Status: Offline Last Seen: October 18 Birthday: 04/20/1972 Device: Windows Posted December 19, 2012 thanks for letting us know! Awards
7Toes Posted December 19, 2012 Member ID: 87 Group: ***- Inactive Clan Members Followers: 58 Topic Count: 98 Topics Per Day: 0.02 Content Count: 3789 Content Per Day: 0.64 Reputation: 3589 Achievement Points: 27251 Solved Content: 0 Days Won: 7 Joined: 09/02/09 Status: Offline Last Seen: March 18, 2022 Birthday: 04/02/1871 Posted December 19, 2012 thats why these damn hacks and virus makers need to be gutted alive in public the rest might take the hint Awards
KaptCrunch Posted December 20, 2012 Member ID: 389 Group: *** Clan Members Followers: 49 Topic Count: 475 Topics Per Day: 0.08 Content Count: 5854 Content Per Day: 0.99 Reputation: 5059 Achievement Points: 46534 Solved Content: 0 Days Won: 92 Joined: 09/14/09 Status: Offline Last Seen: 7 hours ago Birthday: 01/01/1970 Device: Windows Posted December 20, 2012 another note BACK-UP your data you want to keep on cd/flash Awards
WarAngel77 Posted December 20, 2012 Member ID: 4198 Group: ***- Inactive Clan Members Followers: 14 Topic Count: 6 Topics Per Day: 0.00 Content Count: 41 Content Per Day: 0.01 Reputation: 29 Achievement Points: 349 Solved Content: 0 Days Won: 0 Joined: 12/10/12 Status: Offline Last Seen: March 19 Birthday: 02/21/1977 Device: Windows Posted December 20, 2012 (edited) Thank you for the info. Edited December 20, 2012 by XxSN0OPETTxX Awards
PingLo Posted December 20, 2012 Member ID: 1103 Group: **- Inactive Registered Users Followers: 64 Topic Count: 119 Topics Per Day: 0.02 Content Count: 1977 Content Per Day: 0.34 Reputation: 1122 Achievement Points: 15642 Solved Content: 0 Days Won: 4 Joined: 02/08/10 Status: Offline Last Seen: October 16, 2013 Birthday: 01/01/2012 Posted December 20, 2012 What's a Virus?
simplemod Posted December 20, 2012 Member ID: 623 Group: **- Inactive Registered Users Followers: 21 Topic Count: 62 Topics Per Day: 0.01 Content Count: 1072 Content Per Day: 0.18 Reputation: 417 Achievement Points: 7809 Solved Content: 0 Days Won: 1 Joined: 10/24/09 Status: Offline Last Seen: January 27, 2018 Birthday: 10/26/1982 Posted December 20, 2012 What's a Virus? Basically, it's what Mac users call an operating system.
Recommended Posts