Bad Virus

[deerejon]

Got thsi from friend who is IT guy....

---------------------------------

 

 

This is by far the WORST virus I’ve ever seen in the history of working on computers. So horrible that I had to email my friends/clients/family about it. Basically what it does is it AES 256bit encrypts all your files with .block or .police extension and forces the user to fork over money in hopes of getting their files unlocked. If you want to skip to the ending this users machine had to be completely wiped out and they lost all their data.

 

See below the general question that came into IT Services today;

 

Guys,

Anyone ever seen a ".block" extension caused by a virus ? I tried multiple tools and restored all file extensions the files still won't work.

 

After working with the users machine for over an hour my findings and conclusion is below;

 

After much research I found that you need to enter %APPDATA% to get four files. The primary and most important files being Initia1Log.txt & Initia1Log.txt.block that hold the AES encryption key used to block all the files on the machine. The secondary and sometimes not used ok.txt and ok.txt.block. Thing is if you unknowingly run Combofix or TDSKiller it will flag these “highly necessary” files and delete them from the machine. If these file are nonexistent you CAN NOT decrypt your files. An alternate to recovering the file is a program called Piriform Recuva, freeware undeleted software, which I recommend we all add to our IT USB Sticks. After you have both files available you run a piece of software called decrypt_birele.exe in the same directory with Initia1Log.txt and Initia1Log.txt.block from command prompt. It will decrypt and produce a AES key used to be used with te94decrypt.exe –k 188.

 

There are many variants of this particular virus one will have .police extension which te94decrypt.exe will use –k 186 instead of 188. The .block extension along with the AES 256 Key uses switch 188 when decrypting the files.

 

Some important notes on this virus are;

With this individual ticket it seems like the virus made its way in through a picture file that was labeled with the extension .jpg.exe

The Initia1Log.txt is computer specific meaning one will not be the same as another.

The Ok.txt.block is NOT enough to decrypt we need Initia1Log.txt

 

Excellent documentation along with the Russian individual who created the decryption algorithm for Initia1Log.txt can be found below but needs to be transcoded to English.

Decode with http://www.bing.com/translator - http://forum.kaspersky.com/index.php?showtopic=251126

[Merlin007]

Well doesnt that one sound like a bitch. Thanks for the info.

[simplemod]

Thanks for the heads up.

[tinmann]

thanks for letting us know!

[7Toes]

thats why these damn hacks and virus makers need to be gutted alive in public the rest might take the hint

[KaptCrunch]

another note BACK-UP your data you want to keep on cd/flash

[WarAngel77]

Thank you for the info.

Edited December 20, 2012 by XxSN0OPETTxX

[PingLo]

What's a Virus?

[simplemod]

What's a Virus?

 

Basically, it's what Mac users call an operating system.