Abs.Net web Page

Share Your Knowledge, Build your Network..

Check Out Your COMPUTER, NEW THREAD RANSOM-F is Spreading

Posted by Hari Saryono on 31 March 2009


I got 2 virus warning in my box lately, but the most interesting one is RANSOM-F. This is new virus reported on March 25, 2009. It’s name varied :

  • Trojan.Xrupter [Symantec]
  • Trojan-Ransom.Win32.Fixer.a [Kaspersky Lab
  • Trojan:Win32/Fakecorr [Microsoft]

Behaviour

You got this virus if :

When you open your documents (almost all document type), you got a message telling that your document is corrupt. If you click Repair File, the virus then download some File calls Filefix Professional 2009.

FileFix Professional is ransomware that requires you to purchase it in order to fix files that have been encrypted on your computer. This program is advertised through a Trojan that has a filename of C:/Windows/system32/fpfstb.dll. When you are infected with this Trojan, every time you open a Office document, PDF, etc, it will encrypt the file so that it becomes unreadable by it’s normal application. When you try to open these files, this same Trojan will display an alert stating that your file is corrupted and that you should click on the alert in order to fix the file. When you click on this alert, it will automatically download and install FileFix Professional on to your computer.

When FileFix Professional runs it will scan your computer for encrypted files and then allow you to fix only one of these corrupted files. Unfortunately, if the Trojan is still installed on your computer it would just encrypt it again when you access the document.

This program give Fake error on Windows Protection

Check out this file infected list. It’s almost all of your document files

  • ppsm
  • ppam
  • potx
  • pptx
  • ppsx
  • potm
  • pptm
  • xlam
  • xltm
  • xlsm
  • dotm
  • docm
  • xlsb
  • xltx
  • xlsx
  • dotx
  • docx
  • pst
  • mdb
  • wma
  • mp3
  • png
  • jpeg
  • jpg
  • pdf
  • ppt
  • xls
  • doc

File Dropped

The following files are added by FileFix (also detected as Ransom-F):

  • %ProgramFiles%/FileFix Professional 2009/unins000.dat
  • %ProgramFiles%/FileFix Professional 2009/unins000.exe
  • %ProgramFiles%/FileFix Professional 2009/wizard.exe – detected as Ransom-F
  • %ProgramFiles%/FileFix Professional 2009/wizard.url
  • C:/Documents and Settings/All Users/Start Menu/Programs/FileFix Professional 2009/FileFix Professional 2009 on the Web.lnk
  • C:/Documents and Settings/All Users/Start Menu/Programs/FileFix Professional 2009/FileFix Professional 2009.lnk
  • C:/Documents and Settings/All Users/Start Menu/Programs/FileFix Professional 2009/Uninstall FileFix Professional 2009.lnk

Where %ProgramFiles% is usually C:/Program Files

The following registries are added:

  • HKLM/SOFTWARE/Microsoft/Windows NT/Current Version/WOW/keyboard/advanced
    • wizard_installed = “1”
    • wizard_path = “%ProgramFiles%/FileFix Professional 2009/wizard.exe”
  • HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/
    CurrentVersion/Uninstall/FileFix Professional 2009_is1

    • DisplayName = “FileFix Professional 2009”
    • HelpLink = “http://filefixpro.com”
    • Inno Setup: App Path = “%ProgramFiles%/FileFix Professional 2009”
    • Inno Setup: Deselected Tasks = “”
    • Inno Setup: Icon Group = “FileFix Professional 2009”
    • Inno Setup: Selected Tasks = “desktopicon,quicklaunchicon”
    • Inno Setup: Setup Version = “5.1.7”
    • Inno Setup: User = “{User name}”
    • InstallLocation = “%ProgramFiles%FileFix Professional 2009”
    • NoModify = “1”
    • NoRepair = “1”
    • Publisher = “DataHelper Inc.”
    • QuietUninstallString = “%ProgramFiles%/FileFix Professional 2009/unins000.exe” /SILENT”
    • UninstallString = “%ProgramFiles%/FileFix Professional 2009/unins000.exe”
    • URLInfoAbout = “http://filefixpro.com”
    • URLUpdateInfo = http://filefixpro.com”

Removal Guide

Automatic Removal using Malware Byte Anti Malware. You can download the trial version here. Unfortunately, this utility can’t decript file encripted by Filefix. To do so, you need another tools name Anti Filefix. Download here.

antifilefix

In order to use the program you should follow these steps:

  1. Run Anti FileFix
  2. When the program opens, click on the Select Folder button and then select the folder you would like to scan. If you wish to scan an entire drive, then select the particular drive letter. When the drive is selected, press the OK button.
  3. At this point you can click on the Scan button in order for the program to scan your computer for encrypted files. This mode does not decrypt these files. On the other hand, if you wish to find and decrypt any files that Anti FileFix finds, then you should click on the Scan and Fix button.

When the files are decrypted, they will be decrypted into a new filename in the same folder with _fixed(1) appended to the original filename. So if the file was named test.doc, the decrypted version will be test_fixed(1).doc.

To simplify your job, you can use Total Commander Multi Rename Tool to Rename files decripted by Anti Filefix.

35 Responses to “Check Out Your COMPUTER, NEW THREAD RANSOM-F is Spreading”

  1. […] the original post: Check Out Your COMPUTER, NEW THREAD RANSOM-F :a-message-telling, behaviour, computer, document, documents, money-before, name-varied, […]

  2. JimmieWR said

    How a u

  3. […] FireEye, a company that protects critical data, IP and networks against zero-day attacks, has been able to decrypt the files that Vundo encrypts. A researcher at the company has written a Perl script that will decrypt any file Vondu encrypts and make it readable again, free of charge (see this latest post). […]

  4. pochp said

    My Spybot was corrupted and these warnings appear when I try to
    uninstall Spybot. Do you think this is Ransom-F.

  5. monokeeloX said

    Say saying hi to you guys!

  6. Caccanvalycle said

    I’m the only one in this world. Can please someone join me in this life? Or maybe death…

  7. JoeyJam said

    Hi,

    I’ve been reading for a while and finally decided to sign up. I just wanted to say hi to everyone on the board. [url=http://www.thelostsurfer.com]:)[/url]

    Lots of good information here. I hope I can contribute. Sorry if this is in the wrong forum, I’m still a little new to this.

  8. abnombale said

    Hi

    Include useful high-quality information on your site

    Try viral products like ebooks, reports and free software programs to get your links out into the marketplace.

    Build countless anchor text links through keyword rich articles, content related blogs and products that benefit from the high PR of other sites on the web.

    why it is adviced to keep less links in a high PageRank page so that the link would be more valuable

    do not wait for your website to be discovered use [url=http://www.goowal.com]goowal.com[/url]

  9. spodafups said

    What’s Up

    I wanted to share with you a great site I’ve found for [url=http://esnips.com][b]Free Software Downloads[/b][/url] etc. is Esnips.com I’ve found everything on my list…

    let me know what you think!, Hope this helps😉

    L8r

  10. asytonyaa said

    Which is the very good movie in 2009? Please help!Thank you.

  11. Arrincfit said

    Good day.
    I found the site ( http://skachat-mp3.org.ua/ ) where i can download a music. But i dont want to pay for the track. how can i save preview on my computer ?

  12. Hi Everybody!

    Have a look on this a free URL forwarding service allow link cloaking on subdomains. This is new service, there is a lot new free names for your long url, hurry up.

    You can get advanced very detailed live stats.

    If you want earn money, join to affiliate program and earn unlimited income.

    [url=http://www.onodot.net][b]Url Forwarding[/b][/url] & [url=http://onodot.net][b]Link Cloaking[/b][/url]

  13. Hi Guys,
    Just joined up, thought i would say Hi

  14. I’m a newbie from Kansas.
    Really like this forum so far and am looking forward to contributing!

  15. asytonyaa said

    Which is the very good movie in 2009? Please help!Thank you.
    What you think about my web? http://www.easyfaxlesspaydayloan.com [url=http://www.easyfaxlesspaydayloan.com]easy payday loan[/url] [url=http://www.easyfaxlesspaydayloan.com]fast cash advance[/url] [url=http://www.easyfaxlesspaydayloan.com]instant payday loan[/url] [url=http://www.easyfaxlesspaydayloan.com]payday cash loans[/url]

  16. Uterloorp said

    Hello,

    What is the best dedicated server web hosting company?

    I’m trying to build a webpage for a supervisor.

    What about..

    http://www.top-10-best-web-hosting.com

    Thank you,

    -Wendy

  17. asytonyaa said

    How can I protect myself from influenza A (H1N1)?What should I do if I need medical attention?
    What you think about my web? http://www.easyfaxlesspaydayloan.com [url=http://www.easyfaxlesspaydayloan.com]easy payday loan[/url] [url=http://www.easyfaxlesspaydayloan.com]fast cash advance[/url] [url=http://www.easyfaxlesspaydayloan.com]instant payday loan[/url] [url=http://www.easyfaxlesspaydayloan.com]payday cash loans[/url]

  18. piskodrocho said

    I want to listen good music!

  19. GiveItToUsRaaaw said

    “Welcome to the beta test for Valve’s anticipated sequel left4dead II” http://left4dead2beta.com/ to receive your beta key just enter your email address and you’ll receive it in seconds!

  20. PlexClarkerce said

    how are you guys , I’ve recently found what I was looking for on absnet.wordpress.com site so far it look like a incredible penny stock pick site that I saw somewhere a while back. Ima go back to skool yay usually i’m busy and I work from home so I will check back.

  21. hypnoticgenius said

    Hi all,

    New to the forum, just thought I’d introduce myself🙂

  22. AnnaK said

    Hi, I’m Anna. My friend told me about this site so I’m just checking it out to see if I can meet new friends.
    I’m a very outgoing girl, bubbly personality and I just like to enjoy life.

    Hit me up if you want to cheat; I mean chat chat. You can also check out my personal website, you’ll get
    to know a little more about me and my sick sense of humor. lol

    ********************************************************************
    Get to know AnnaK
    http://offto.net/annak

  23. Empabamma said

    Hello.
    My computer worked slowly, many errors. Please, help me to fix errors on my PC.
    I used Windows XP.
    Thanks,
    Empabamma

  24. zinymegan said

    Hey Guys,

    I am a student (limited budget) and have seen a few offers for free ipods and iphones. Does anyone Know if any if the free IPhone or Ipod offers are actually legit? I don’t want to waste my time filling out a hundred surveys and was hoping to hear from someone who may have had some success with this.

    Thanks

  25. alerninly said

    Hi
    Minute ago joined this forum and looking forward to reading what is on your mind and to know investment tips each day.

  26. Gaictella said

    hello , im new to this forum. its a good place

    hope im welcome🙂

  27. my name is Karen, London is capital of great britain
    You very very veru nice and cute

  28. Paypecype said

    Hello Everyone,

    I am new member right here

    I not long ago discovered this place and so far i have discovered lots of good info right here.
    I’m looking forward to connecting and adding to the forum.

  29. This is a compiled list of go daddy promo codes our entire IT group uses.

    Godaddy domain coupons:
    RAD7 : 30% off .com renewal domains, as many domains as you want
    RAD5 : 10% off any order
    RUSH3 : $7.49 domains
    RUSH1 : 10% off any order

    Godaddy hosting coupns:
    RUSH20 : 20% Off Hosting (1,2,3 yr accounts)
    CHN1 : 10% Off Monthly hosting accounts

    Based on order size:
    BUCK2 : $5 off order of $30 or more
    MOPOFF : $10 off order of $40 or more
    BUCK15 : 15% off order of $75 or more

    Unique promo codes:
    BUCKSSL : $12.99 SSL ( 56% Off )
    AUCTION12 : 50% Off Auction accounts

    These coupons do not expire so print them.

    The only thing we cannot find is a .net discount, anyone got one?

  30. Hello,

    I just came across to absnet.wordpress.com from yahoo and I found absnet.wordpress.com very interesting.
    I wish, can make lot’s of new friend here🙂

  31. Spartacus said

    Nice information.
    Thanks

  32. Hey guys,

    I am Samanta and I am a full time IM. I am working on Micro Niche Websites to generate income from Adsense and Affiliate marketing.

    It is an honour to be amongst all of you.

  33. Exhagegex said

    Ok… Water proof profile

  34. SandraituTaylormd said

    websites forsale

  35. I really like the work that has gone into making the post. I will be sure to tell my blog buddies about your content keep up the good work. Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: