Guest fintansmobilemail@gmail.com Posted December 18, 2008 Posted December 18, 2008 Ok guys, is this a conspiracy? Search FileError_22001 on all the top Anti Virus company sites and they all show no results. Dear Anti Virus companies, WAKE UP!! Peoples files all over the world are being corrupted, everything from work documents, travel documents to wedding and kid photos. Its times like this that the general public needs you Anti Virus guys, and from the industry, nothing, absolutely nothing, a disorganized bunch of decent people are trying various things, but the big public companies with stock Nasdaq listings and shareholders, not a shred of help. On behalf of the effected around the world, I’d like to offer a BIG Thanks for nothing guys! The least you could do is put a note on you websites saying you are working on it and give us regular people with our digital cameras some hope. Bring back 35mm film. Hmmm perhaps this is a conspiracy plotted by AGFA or Fuji Film working with Eastman Kodak to bring back 35mm film after all the worlds digital photos have been erased. So come on Mr. Anti Virus company Executive, round up the troops and show us you are really a pillar of society. Please Quote
Guest Peter Foldes Posted December 18, 2008 Posted December 18, 2008 See the same issue and answers 4 posts below yours here in Microsoft.public.security.virus by Max in KL on 12/16/2008 at 10:32 AM -- Peter Please Reply to Newsgroup for the benefit of others Requests for assistance by email can not and will not be acknowledged. <fintansmobilemail@gmail.com> wrote in message news:890a7532-148b-4280-b6b6-ccfd6af200ec@o4g2000pra.googlegroups.com... Ok guys, is this a conspiracy? Search FileError_22001 on all the top Anti Virus company sites and they all show no results. Dear Anti Virus companies, WAKE UP!! Peoples files all over the world are being corrupted, everything from work documents, travel documents to wedding and kid photos. Its times like this that the general public needs you Anti Virus guys, and from the industry, nothing, absolutely nothing, a disorganized bunch of decent people are trying various things, but the big public companies with stock Nasdaq listings and shareholders, not a shred of help. On behalf of the effected around the world, I’d like to offer a BIG Thanks for nothing guys! The least you could do is put a note on you websites saying you are working on it and give us regular people with our digital cameras some hope. Bring back 35mm film. Hmmm perhaps this is a conspiracy plotted by AGFA or Fuji Film working with Eastman Kodak to bring back 35mm film after all the worlds digital photos have been erased. So come on Mr. Anti Virus company Executive, round up the troops and show us you are really a pillar of society. Please Quote
Guest David H. Lipman Posted December 18, 2008 Posted December 18, 2008 From: <fintansmobilemail@gmail.com> | Ok guys, is this a conspiracy? Search FileError_22001 on all the top | Anti Virus company sites and they all show no results. | Dear Anti Virus companies, WAKE UP!! Peoples files all over the world | are being corrupted, everything from work documents, travel documents | to wedding and kid photos. | Its times like this that the general public needs you Anti Virus | guys, and from the industry, nothing, absolutely nothing, a | disorganized bunch of decent people are trying various things, but the | big public companies with stock Nasdaq listings and shareholders, not | a shred of help. | On behalf of the effected around the world, I’d like to offer a BIG | Thanks for nothing guys! | The least you could do is put a note on you websites saying you are | working on it and give us regular people with our digital cameras some | hope. Bring back 35mm film. Hmmm perhaps this is a conspiracy plotted | by AGFA or Fuji Film working with Eastman Kodak to bring back 35mm | film after all the worlds digital photos have been erased. | So come on Mr. Anti Virus company Executive, round up the troops and | show us you are really a pillar of society. | Please You have to realize that if this is a case of cryptovirology then it is posible there may be NOTHING that can be done if someone gets infected and their data files are encrypted. All an AV company can do is protect against being infected through signature and heuristic detection. Recently I offered "special attention" to someone who was infected. They didn't take me up on the offer. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest FromTheRafters Posted December 19, 2008 Posted December 19, 2008 inline <fintansmobilemail@gmail.com> wrote in message news:890a7532-148b-4280-b6b6-ccfd6af200ec@o4g2000pra.googlegroups.com... Ok guys, is this a conspiracy? Search FileError_22001 on all the top Anti Virus company sites and they all show no results. This is a symptom, not a name. Dear Anti Virus companies, WAKE UP!! Peoples files all over the world are being corrupted, everything from work documents, travel documents to wedding and kid photos. I'm sure if it gets widespread enough there will be information available. There is nothing AV can do after you are affected by cryptoviral extortion (if indeed this is what it is - AKA ransomware). AV is not responsible for users who execute malicious software on their computers. AV is only a tool to help users to protect themselves. [snipped rest of misguided rant] Quote
Guest FromTheRafters Posted December 19, 2008 Posted December 19, 2008 http://www.ca.com/us/securityadvisor/pest/...px?id=453145944 This looks like the malware. But the downloaded program does the damage evidently by overwriting as I understand it. No cryptoviral extortion (ransomeware) involved this time. I'm only basing this on some Googling - I'm not an AV insider. <fintansmobilemail@gmail.com> wrote in message news:890a7532-148b-4280-b6b6-ccfd6af200ec@o4g2000pra.googlegroups.com... Ok guys, is this a conspiracy? Search FileError_22001 on all the top Anti Virus company sites and they all show no results. Dear Anti Virus companies, WAKE UP!! Peoples files all over the world are being corrupted, everything from work documents, travel documents to wedding and kid photos. Its times like this that the general public needs you Anti Virus guys, and from the industry, nothing, absolutely nothing, a disorganized bunch of decent people are trying various things, but the big public companies with stock Nasdaq listings and shareholders, not a shred of help. On behalf of the effected around the world, I’d like to offer a BIG Thanks for nothing guys! The least you could do is put a note on you websites saying you are working on it and give us regular people with our digital cameras some hope. Bring back 35mm film. Hmmm perhaps this is a conspiracy plotted by AGFA or Fuji Film working with Eastman Kodak to bring back 35mm film after all the worlds digital photos have been erased. So come on Mr. Anti Virus company Executive, round up the troops and show us you are really a pillar of society. Please Quote
Guest Leythos Posted December 19, 2008 Posted December 19, 2008 In article <OIGgZMXYJHA.4456@TK2MSFTNGP04.phx.gbl>, erratic@nomail.afraid.org says...<span style="color:blue"> > Dear Anti Virus companies, WAKE UP!! Peoples files all over the world > are being corrupted, everything from work documents, travel documents > to wedding and kid photos. > </span> How about "Dear computer user, WAKE UP and stop doing stupid things!" How about "Dear computer user, learn about good practices for protecting your computer and network so that you're not compromised" It's not the AV companies that will protect you, it's your own diligence that will protect you. -- - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Quote
Guest FromTheRafters Posted December 19, 2008 Posted December 19, 2008 Hi Leythos, None of what follows was said by me, but that is my posted e-mail address in the newsgroups. You are actually replying to the OP. Fact is ....I agree with you. Most of the malware out there depends heavily on people doing stupid things. Judging by some of the successful malware I've seen in the past...there is no shortage of stupidity (nor any limit to it). "Leythos" <spam999free@rrohio.com> wrote in message news:MPG.23b57336a09dda77989792@us.news.astraweb.com...<span style="color:blue"> > In article <OIGgZMXYJHA.4456@TK2MSFTNGP04.phx.gbl>, > erratic@nomail.afraid.org says...<span style="color:green"> >> Dear Anti Virus companies, WAKE UP!! Peoples files all over the world >> are being corrupted, everything from work documents, travel documents >> to wedding and kid photos. >></span> > > How about "Dear computer user, WAKE UP and stop doing stupid things!" > > How about "Dear computer user, learn about good practices for protecting > your computer and network so that you're not compromised" > > It's not the AV companies that will protect you, it's your own diligence > that will protect you. > > -- > - Igitur qui desiderat pacem, praeparet bellum. > - Calling an illegal alien an "undocumented worker" is like calling a > drug dealer an "unlicensed pharmacist" > spam999free@rrohio.com (remove 999 for proper email address) </span> Quote
Guest David H. Lipman Posted December 19, 2008 Posted December 19, 2008 From: "FromTheRafters" <erratic@nomail.afraid.org> | Hi Leythos, | None of what follows was said by me, but that is my posted e-mail | address in the newsgroups. You are actually replying to the OP. Fact is | ...I agree with you. Most of the malware out there depends heavily on | people doing stupid things. Judging by some of the successful malware | I've seen in the past...there is no shortage of stupidity (nor any limit to | it). I'd like to get a sample of this infector to our "group" to get this analyzed. All we have seen are resultant, damaged, files and they are bastardized similarly to what GPCode did. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest FromTheRafters Posted December 19, 2008 Posted December 19, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:eiBstfiYJHA.652@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > From: "FromTheRafters" <erratic@nomail.afraid.org> > > | Hi Leythos, > > | None of what follows was said by me, but that is my posted e-mail > | address in the newsgroups. You are actually replying to the OP. Fact is > | ...I agree with you. Most of the malware out there depends heavily on > | people doing stupid things. Judging by some of the successful malware > | I've seen in the past...there is no shortage of stupidity (nor any limit > to > | it). > > I'd like to get a sample of this infector to our "group" to get this > analyzed. All we > have seen are resultant, damaged, files and they are bastardized similarly > to what GPCode > did.</span> Interestingly, a couple of the "forums" I read from have suggested navigating to a registry key - to get a filename - and delete both the file and the key value. My thinking is that doing such things before you know what you are dealing with is ill advised. What if it is ransomware and the perpetrator needs the file you just deleted in order for you to decrypt your files? Obviously, I cannot vouch for any information found in such "forums". Quote
Guest David H. Lipman Posted December 20, 2008 Posted December 20, 2008 From: "FromTheRafters" <erratic@nomail.afraid.org> | Interestingly, a couple of the "forums" I read from have suggested | navigating | to a registry key - to get a filename - and delete both the file and the key | value. | My thinking is that doing such things before you know what you are dealing | with is ill advised. What if it is ransomware and the perpetrator needs | the | file you just deleted in order for you to decrypt your files? | Obviously, I cannot vouch for any information found in such "forums". It is a case of Cryptovirology and DrWeb calls it "Trojan.Encoder.33" and has a tool for decryption. ftp://ftp.drweb.com/pub/drweb/windows/te33decrypt.exe 10% of the files can be decrypted based upon a key in the Registry. The other 90% can be decrypted through a predictable key. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest FromTheRafters Posted December 20, 2008 Posted December 20, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:e7oNBipYJHA.4852@TK2MSFTNGP04.phx.gbl... <span style="color:blue"> > It is a case of Cryptovirology and DrWeb calls it "Trojan.Encoder.33" and > has a tool for > decryption. > ftp://ftp.drweb.com/pub/drweb/windows/te33decrypt.exe > > 10% of the files can be decrypted based upon a key in the Registry. > The other 90% can be decrypted through a predictable key.</span> Thanks Dave. Quote
Guest duffpaddy@gmail.com Posted December 26, 2008 Posted December 26, 2008 On Dec 20, 12:50Â pm, "FromTheRafters" <erra...@nomail.afraid.org> wrote:<span style="color:blue"> > "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote in messagenews:e7oNBipYJHA.4852@TK2MSFTNGP04.phx.gbl... ><span style="color:green"> > > It is a case of Cryptovirology and DrWeb calls it "Trojan.Encoder.33" and > > has a tool for > > decryption. > >ftp://ftp.drweb.com/pub/drweb/windows/te33decrypt.exe</span> ><span style="color:green"> > > 10% of the files can be decrypted based upon a key in the Registry. > > The other 90% can be decrypted through a predictable key.</span> > > Thanks Dave.</span> This is definitely a case of Crytovirology as I've just spent the last couple of hours trying to clean my parents computer which has been compromised. The above download does appear to work however it is important not to clean the registry entries that contain the key for the encrypted files. I'd therefore advice people not to run any anti- malware or antivirus software until they have recovered their files. I have to agree with the original poster about the lack information available about this virus. It is quite scarce which might indicate that it is a very new trojan. The computer that was compromised was running NOD32 and it did not detect the trojan at any point even with heuristics on and the virus database fully up to date. I did find that the latest IE 7 security patch had not been applied to the system so it may have got onto the system via this exploit. I'm still not sure what the name of the exact trojan is as there seems to be some disagreement about what's its name is (Trojan.Encoder.33?, Trojan Downloader.Win32.Agent.atnu?) so I have still yet to ascertain what steps need to be taken to fully clean the system. I'm not taking any chances especially considering how easily it by-passed the anti- virus software so I intend to do a low level format of the drive and then reinstall windows. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.