A new Ransomware is currently making the rounds. It leaves
behind this ransom note(INSTRUCTIONS HOW TO GET YOUR FILES
BACK.txt) in the My Documents folder along with the supposedly
encrypted files(encrypted.als) and a demo.als to be used as a demo
on how to extract your files.
This one is quite unusual, it doesn’t extort money from infected
users, instead it forces them to buy products from an online
pharmacy. If you think of it, the malware also acts as a kind of
adware for the online pharmaceutical company.
The ransom note contains this
INSTRUCTIONS HOW TO GET YOUR FILES BACK
READ CAREFULLY. IF YOU DO NOT UNDERSTAND – READ AGAIN.
This is the automated report generated by auto archiving
software.
Your computer caught our software while browsing illegal porn
pages, all your documents, text files, databases in the
folder
My Documents was archived with long password.
You can not guess the password for your archived files –
password
length is more than 30 symbols that makes all password
recovery
programs fail to bruteforce it (guess password by trying all
possible combinations).
Do not try to search for a program that encrypted your information
– it
simply does not exist in your hard disk anymore.
Reporting to police about a case will not help you, they do not
know the
password. Reporting somewhere about our email account will not
help
you to restore files. Moreover, you and other people will lose
contact
with us, and consequently, all the encrypted information.
WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with
you.
You can even EARN extra money with us.
If you really care about the documents and information in encrypted
file,
you should follow the instructions below.
This is your only way to get your files back and save your
time.
——————————
How to get your information back.
1. Follow any link below
http://{blocked}.info/?833F866fe62adAd883cc38bcd6b0Tdaa
http://{blocked}.info/?82Fdf3abfb7Abc9385ed1c26afT6bb6e
http://{blocked}.info/?12aba12eF79ef8A4bf7f9bd49Tfc6690
and enter our online pharmacy. Our online pharmacy is the world
leader in
FDA approved medications.
2. Choose any product you like and buy it.
3. Send an email with your order id to our email address
restoring@safe-mail.net or restoringfiles@yahoo.com
The password will be sent to your email address as soon as we
verify your
order id (usually 3-4 hours or shorter) and you will get your
information
in encrypted file back. All the emails with invalid order ids will
be ignored.
——————————
We do not ask you for any money! We guarantee that you will receive
the product
you buy! You can use it by yourself or even sell and earn extra
money because
all the products in our online pharmacy are discounted!
We guarantee that you will receive the password for encrypted file
as soon as you buy
any product in our online pharmacy.
We guarantee that you will be able to restore all the encrypted
information and we can
prove it. Doubleclick on the file Demo.als and enter the following
password:
kw9fjwfielaifuw1u3fw3brue2180w3hfse2
The encrypted information will be restored in several
seconds.
The file EncryptedFiles.als is encrypted with another password
which you will receive
in the email from us.
We guarantee that you will never be asked to buy anything in our
online pharmacy again.
We do not want to do you any harm, we do not ask you for money, we
only want to do business with you.
######################################################
Remember you are just three steps away from your files
######################################################
The malware gets the files in the user’s My Documents folder
concatenate the contents into one file (EncryptedFiles.als) and
then delete them. In addition it also adds these two files.
- Demo.als(Demo file used for instructions.)
- INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt(ransom note)
It then associates itself with .als files, so that it runs when
Demo.als or EncryptedFiles.als is double-clicked. Once any of the
.als file is clicked, it opens a series of dialog boxes which leads
to the extraction of the concatenated files.
- Some things to know about in the
ransom note. - You can not guess the password for your archived files – True,
but the password for the archive can easily be recovered by anyone
with a minimal knowledge in reverse engineering.
Also it can easily be seen as its just present in the malware’s
code in plain text.
- Do not try to search for a program that encrypted your
information – it simply does not exist in your hard disk anymore. –
A big FALSE, hehe. The program is still in your hard drive since it
is needed to extract the concatenated files.
By the way, the password recovered in the executable is
“mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw”
Update(Jovs, 08 May 2006 21:08:01)
This ransomware is now detected as
TROJ_ARHIVEUS.A.