What is this thing?

laguini

This message appeared in large black letters across my desktop about 10 minutes ago:

"All your personal files were encrypted with a strong algorythm RSA-1024 And you can't get access to them without making of what we need!

Read "How to decrypt" txt-file on your desktop for details.

Just do it as fast as you can!

Remember don't try to tell anyone about this message if you want to get your files back! Just do all we told"

The decrypt file is now on my desktop but I'm sure it's a no go and am about to scan my comp. Contrary to what it said I can actually access my files, so it doesn't look like they have been encrypted or whatever.

But I haven't had anything quite like this before, anyone familiar with it?

squeaky

Sounds like a virus to me - even though it is citing the use of a real encrypting algorithm. The English in that message is poor and algorithm is not spelled correctly either.

I googled but couldn't find a related link - but for sure I would avoid following those instructions in that text file until someone can help you identify what's going on.

debitcardmayhem

Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_ma..._anti_malware/
Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM QUICK SCAN then click SCAN
Remove everything thats found (needs to be ticked)
Post the COMPLETE log here AFTER youve deleted everything it finds
If anything was found then do the exact same but run a FULL scan

DatabaseError

nice can i ask what precautions you have installed? what antivrus software etc..
seems like you know it's fake..and you're doing the right things

Gazza1964

http://www.computing.net/answers/security/how-to-encode-files-after-trojan-1024-cypher/31879.html

This is a similiar virus but the guys files were encoded. Not of much use I'm afraid.

fiddiwebb

Gpcode (ransomware), what site had you been on just before you got this or was it in a download?

laguini

DatabaseError wrote: »

nice can i ask what precautions you have installed? what antivrus software etc..
seems like you know it's fake..and you're doing the right things

I have microsoft security essentials, zone alarm pro and malware bytes. Nothing has been coming up on them lately though really, perhaps I need something stronger.

Debitcardmayhem- here is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5189
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
25/11/2010 17:54:36
mbam-log-2010-11-25 (17-54-36).txt
Scan type: Quick scan
Objects scanned: 143388
Time elapsed: 9 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\bumbly\AppData\Local\Temp\0.8626637234042882.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

So it was trojan, I guess after doing a full scan that should be the end of it? Not sure how and why I've been getting them so much in the past six months.

Thanks

laguini

fiddiwebb wrote: »

Gpcode (ransomware), what site had you been on just before you got this or was it in a download?

I was just on wikipedia/in my email - didn't consciously download anything.

Thelle

Hi All. I've had the exact same attack!

I've tried to rename and open the files but I can't open them – the files are really encrypted. I managed to stop the process of encryption, using Task Manager to stop a suspicious process, so "only" about half my files are encrypted. The attack started 9:49PM yesterday and I noticed and stopped the process 10:38. The process deletes the original files and replaces them with encrypted files. I did not download any torrents or P2P, only email and general surf at the time.

I use XP, SP 3. - Suspect that XP is a reason for the attack (old system). I suppose that a system restore don't help since the virus-program has changed my files - system restore only restores the system as I recall.

They've added a key that they want me to send to an email address [EMAIL="datafinder@fastmail.fm"]datafinder@fastmail.fm[/EMAIL], plus money to a bank account, claiming that they will then send a decryption key and instructions. - I'm off course not going to do that, I just thought it might help with a little info on the attack.

If someone can help it’s much appreciated, but I guess the only thing is to reinstall everything on the computer.

kevsan

More details here:

http://www.securelist.com/en/descriptions/old313444

Below is an excerpt;

This malicious program encrypts files on the victim machine. It is a Windows PE EXE file 8030, bytes in size.




Removal instructions

If you think your computer has been infected, contact us at [EMAIL="stopgpcode@kaspersky.com"]stopgpcode@kaspersky.com[/EMAIL]. Include details about the exact date and time of infection, as well everything you did on the computer in the 5 minutes before the machine was infected:

• which programs you ran,
• which websites you have visited, etc.

File Recovery

At the moment, it's not possible to decrypt files encrypted by Gpcode. However, you can use PhotoRec to recover your original files which were deleted by Gpcode after the virus created an encrypted version of the files.
The utility can be used to recover Microsoft Office documents, executable files, PDF and TXT documents, and also certain file archives. Here is a full list of supported file formats.
PhotoRec is part of the TestDisk package. The latest version of TestDisk, including PhotoRec, can be found here.

mr_fishbulb

Even more details (actually had just read this an hour ago!) - http://nakedsecurity.sophos.com/2010/11/26/drive-by-ransomware-attack-demands-120/

Agree with the PhotoRec advice above (unless you have backup copied of the files?).