Virus encrypts jpeg files

[FremontPC]

For those systems that still had the original "Sample" files (pix, video, etc) that came with Windows, it might give you what you need.

Are .ico files getting encrypted? Anything that came with the original install sounds like it would do the trick, as long as it never got updated.

 

[DocGreen]

For those systems that still had the original "Sample" files (pix, video, etc) that came with Windows, it might give you what you need...

You sir, are brilliant. :thumbup:

 

[FremontPC]

Thanks, Doc!

OEM installations may throw a bit of a twist in it as I don't know if the decryption process needs the file date to be the same as well, but one could look to the restore partition as a source of original files.

 

[JustInspired]

Just got our first one

A customer just brought us an infected computer with one of the encryptors and he DOESN'T HAVE A BACKUP. Every single jpeg file looks like the attached image.

I did not want to mess with it too much so I imaged the drive first using ddrescue as both Acronis and Macrium were failing. Seems there was some file corruption as well.

The screen had a different looking html overlay to the 'Met Police' one we are accustomed to seeing. This one has four pretty sick child porn images on it.

So I went in via a Linux boot CD and renamed the html file just so we could get access. Safe mode with command prompt didn't work. It is inside the Linux environment we realize that we cannot open any photos.

So we get into Normal Mode and it's running like a dog and there are all these fake registry cleaning and PC optimizing programs trying to run as well.

Checked the data again inside Windows and sure enough all the photos are encrypted.

Up pops an application called 'Dirty Decrypt' asking for a 'Pay Code' to decrypt files.

I took the Chrysanthemum.jpg file from the Sample Pictures folder and copy it to a flash drive in order to try and compare and decrypt it with the Panda or Kaspersky decryptor by using the Chrysanthemum.jpg from my own PC.

That didn't work. Kaspersky said the "Encrypted file size does not equal to original". Really? Of course it doesn't! The file has been changed and who knows what has been added to it. How can it expect the file sizes to be the same?

That's when I realize that some random photos of my own that were on the flash drive before I plugged it in, had ALSO BEEN ENCRYPTED!!

So that get's me to thinking just how scary this thing is...

I've got clients who back up their data to open shares and to permanently attached drives!!! Sheesh; I'm going to have to go into paranoid mode and try to get them to upgrade their backup systems!!


* Just tried uploading the encrypted file to this post and got this: "This PNG image has the incorrect file extension."

I'ts supposed to be a JPG (Chrysanthemum.jpg) so it's kind of strange that it's being detected as a PNG.

Did a screen shot of the image and uploaded that instead...

 

[Stu]

Yesterday my first laptop with the "DirtyDecrypt.exe" virus came through the door. Looks pretty nasty too, has actual child porn on the warning screen.

All the user's documents appear to be encrypted. However, from what I can gather from some of the latest security forum posts, the virus doesn't actually encrypt anything, rather it just alters code at the beginning of the file. Supposedly if you replace this code with the correct code for that specific type of file, everything is readable again. I suspect it won't be long until somebody makes a tool that automates this process. If anybody knows of one already, I'd be grateful for a link.