New Vundo Warning

[hellnoire]

From scareware to ransomware

FireEye, a malware specialist, reports that Vundo, which makes fake antivirus programs (scareware), has now started a new scam. Vundo is no longer merely alarming users with bogus warnings that their PCs have been infected to con them into buying largely useless scanning software. Their latest attacks (ransomware) encrypt all of the files (.pdf, .doc, .jpg and others) on a user's PC and then report garbled data.

System messages are sent to con the user into coughing up €50 for the full version of a "repair tool", FileFix Pro 2009. In contrast to scareware, which normally only pretends there's a problem, users are left little option, because all of their files have genuinely been encrypted – although only with a simple algorithm. FireEye doesn't say how the ransomware gets on to the computers, but it probably needs a little help from the user.

FireEye has investigated the algorithm and found that the key apparently consists of only four characters, stored at the end of an encrypted file. FireEye is providing a free Perl script and a web page implementation of the script for decryption of scrambled files. This case is similar to GPCode, a Trojan that appeared in the middle of last year, encrypting files using RSA (the Rivest, Shamir and Adleman algorithm) with a 4096-bit key.

GPCode's authors demanded that their victims shell out $300 to get their files restored. Fortunately, it was possible to reconstruct the data at a lower cost, even without the key, because GPcode wrote the encrypted version of a document into a new file and then "deleted" the original one. Since Windows only deletes a file's reference, not the actual file itself, the originals could be successfully recovered.

-source-

[Ceyfer √]

New Vundos Variant also able to self protect itself against Sandboxie -

[hellnoire]

Wonderful. Now it looks like Linux has another good point to fight with Windows no Vundo

[YuMeng]

Encrypting files? So, any program can't decrypt with any program?

[hellnoire]

It can be decrypted but you need to look up that Perl script. I don't have a clue where it is.

[Raikurion]

owned!!!
They had to pay 300!!!

[hellnoire]

It's not something I'd lol about myself. But that's me because I think a virus is serious.

[brayden]

I don't. haha I just laugh at windows users with their viruses and slowdowns and BSoDs and crashing etc. All that stuff that windows has and ubuntu doesn't.

[xje4bv]

Lol. The irony, brayden. Check your siggie..

[hellnoire]

He hasn't changed it yet, since he still uses Vista. I'm stuck using it for a little bit longer... I've got to delete a few things and back up some others.