Check Out Your COMPUTER, NEW THREAD RANSOM-F is Spreading
Posted by Hari Saryono on 31 March 2009
I got 2 virus warning in my box lately, but the most interesting one is RANSOM-F. This is new virus reported on March 25, 2009. It’s name varied :
- Trojan.Xrupter [Symantec]
- Trojan-Ransom.Win32.Fixer.a [Kaspersky Lab
- Trojan:Win32/Fakecorr [Microsoft]
Behaviour
You got this virus if :
When you open your documents (almost all document type), you got a message telling that your document is corrupt. If you click Repair File, the virus then download some File calls Filefix Professional 2009.
FileFix Professional is ransomware that requires you to purchase it in order to fix files that have been encrypted on your computer. This program is advertised through a Trojan that has a filename of C:/Windows/system32/fpfstb.dll. When you are infected with this Trojan, every time you open a Office document, PDF, etc, it will encrypt the file so that it becomes unreadable by it’s normal application. When you try to open these files, this same Trojan will display an alert stating that your file is corrupted and that you should click on the alert in order to fix the file. When you click on this alert, it will automatically download and install FileFix Professional on to your computer.
When FileFix Professional runs it will scan your computer for encrypted files and then allow you to fix only one of these corrupted files. Unfortunately, if the Trojan is still installed on your computer it would just encrypt it again when you access the document.
This program give Fake error on Windows Protection
Check out this file infected list. It’s almost all of your document files
- ppsm
- ppam
- potx
- pptx
- ppsx
- potm
- pptm
- xlam
- xltm
- xlsm
- dotm
- docm
- xlsb
- xltx
- xlsx
- dotx
- docx
- pst
- mdb
- wma
- mp3
- png
- jpeg
- jpg
- ppt
- xls
- doc
File Dropped
The following files are added by FileFix (also detected as Ransom-F):
- %ProgramFiles%/FileFix Professional 2009/unins000.dat
- %ProgramFiles%/FileFix Professional 2009/unins000.exe
- %ProgramFiles%/FileFix Professional 2009/wizard.exe – detected as Ransom-F
- %ProgramFiles%/FileFix Professional 2009/wizard.url
- C:/Documents and Settings/All Users/Start Menu/Programs/FileFix Professional 2009/FileFix Professional 2009 on the Web.lnk
- C:/Documents and Settings/All Users/Start Menu/Programs/FileFix Professional 2009/FileFix Professional 2009.lnk
- C:/Documents and Settings/All Users/Start Menu/Programs/FileFix Professional 2009/Uninstall FileFix Professional 2009.lnk
Where %ProgramFiles% is usually C:/Program Files
The following registries are added:
- HKLM/SOFTWARE/Microsoft/Windows NT/Current Version/WOW/keyboard/advanced
- wizard_installed = “1”
- wizard_path = “%ProgramFiles%/FileFix Professional 2009/wizard.exe”
- HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/
CurrentVersion/Uninstall/FileFix Professional 2009_is1- DisplayName = “FileFix Professional 2009”
- HelpLink = “http://filefixpro.com”
- Inno Setup: App Path = “%ProgramFiles%/FileFix Professional 2009”
- Inno Setup: Deselected Tasks = “”
- Inno Setup: Icon Group = “FileFix Professional 2009”
- Inno Setup: Selected Tasks = “desktopicon,quicklaunchicon”
- Inno Setup: Setup Version = “5.1.7”
- Inno Setup: User = “{User name}”
- InstallLocation = “%ProgramFiles%FileFix Professional 2009”
- NoModify = “1”
- NoRepair = “1”
- Publisher = “DataHelper Inc.”
- QuietUninstallString = “%ProgramFiles%/FileFix Professional 2009/unins000.exe” /SILENT”
- UninstallString = “%ProgramFiles%/FileFix Professional 2009/unins000.exe”
- URLInfoAbout = “http://filefixpro.com”
- URLUpdateInfo = http://filefixpro.com”
Removal Guide
Automatic Removal using Malware Byte Anti Malware. You can download the trial version here. Unfortunately, this utility can’t decript file encripted by Filefix. To do so, you need another tools name Anti Filefix. Download here.
- First, Remove the Thread with Malware Byte Anti Malware.
- Second, Use anti_Filefix to fix encripted file
In order to use the program you should follow these steps:
- Run Anti FileFix
- When the program opens, click on the Select Folder button and then select the folder you would like to scan. If you wish to scan an entire drive, then select the particular drive letter. When the drive is selected, press the OK button.
- At this point you can click on the Scan button in order for the program to scan your computer for encrypted files. This mode does not decrypt these files. On the other hand, if you wish to find and decrypt any files that Anti FileFix finds, then you should click on the Scan and Fix button.
When the files are decrypted, they will be decrypted into a new filename in the same folder with _fixed(1) appended to the original filename. So if the file was named test.doc, the decrypted version will be test_fixed(1).doc.
To simplify your job, you can use Total Commander Multi Rename Tool to Rename files decripted by Anti Filefix.
Check Out Your COMPUTER, NEW THREAD RANSOM-F - eBiadoliny.info | Best Information Blog said
[…] the original post: Check Out Your COMPUTER, NEW THREAD RANSOM-F :a-message-telling, behaviour, computer, document, documents, money-before, name-varied, […]
JimmieWR said
How a u
Thread Trend begin with Ransomware (Filefix case) « Abs.Net web Page said
[…] FireEye, a company that protects critical data, IP and networks against zero-day attacks, has been able to decrypt the files that Vundo encrypts. A researcher at the company has written a Perl script that will decrypt any file Vondu encrypts and make it readable again, free of charge (see this latest post). […]
pochp said
My Spybot was corrupted and these warnings appear when I try to
uninstall Spybot. Do you think this is Ransom-F.
monokeeloX said
Say saying hi to you guys!
Caccanvalycle said
I’m the only one in this world. Can please someone join me in this life? Or maybe death…
JoeyJam said
Hi,
I’ve been reading for a while and finally decided to sign up. I just wanted to say hi to everyone on the board. [url=http://www.thelostsurfer.com]:)[/url]
Lots of good information here. I hope I can contribute. Sorry if this is in the wrong forum, I’m still a little new to this.
abnombale said
Hi
Include useful high-quality information on your site
Try viral products like ebooks, reports and free software programs to get your links out into the marketplace.
Build countless anchor text links through keyword rich articles, content related blogs and products that benefit from the high PR of other sites on the web.
why it is adviced to keep less links in a high PageRank page so that the link would be more valuable
do not wait for your website to be discovered use [url=http://www.goowal.com]goowal.com[/url]
spodafups said
What’s Up
I wanted to share with you a great site I’ve found for [url=http://esnips.com][b]Free Software Downloads[/b][/url] etc. is Esnips.com I’ve found everything on my list…
let me know what you think!, Hope this helps 😉
L8r
asytonyaa said
Which is the very good movie in 2009? Please help!Thank you.
Arrincfit said
Good day.
I found the site ( http://skachat-mp3.org.ua/ ) where i can download a music. But i dont want to pay for the track. how can i save preview on my computer ?
Gelijituity said
Hi Everybody!
Have a look on this a free URL forwarding service allow link cloaking on subdomains. This is new service, there is a lot new free names for your long url, hurry up.
You can get advanced very detailed live stats.
If you want earn money, join to affiliate program and earn unlimited income.
[url=http://www.onodot.net][b]Url Forwarding[/b][/url] & [url=http://onodot.net][b]Link Cloaking[/b][/url]
abbyabagail said
Hi Guys,
Just joined up, thought i would say Hi
maryannflesscon said
I’m a newbie from Kansas.
Really like this forum so far and am looking forward to contributing!
asytonyaa said
Which is the very good movie in 2009? Please help!Thank you.
What you think about my web? http://www.easyfaxlesspaydayloan.com [url=http://www.easyfaxlesspaydayloan.com]easy payday loan[/url] [url=http://www.easyfaxlesspaydayloan.com]fast cash advance[/url] [url=http://www.easyfaxlesspaydayloan.com]instant payday loan[/url] [url=http://www.easyfaxlesspaydayloan.com]payday cash loans[/url]
Uterloorp said
Hello,
What is the best dedicated server web hosting company?
I’m trying to build a webpage for a supervisor.
What about..
http://www.top-10-best-web-hosting.com
Thank you,
-Wendy
asytonyaa said
How can I protect myself from influenza A (H1N1)?What should I do if I need medical attention?
What you think about my web? http://www.easyfaxlesspaydayloan.com [url=http://www.easyfaxlesspaydayloan.com]easy payday loan[/url] [url=http://www.easyfaxlesspaydayloan.com]fast cash advance[/url] [url=http://www.easyfaxlesspaydayloan.com]instant payday loan[/url] [url=http://www.easyfaxlesspaydayloan.com]payday cash loans[/url]
piskodrocho said
I want to listen good music!
GiveItToUsRaaaw said
“Welcome to the beta test for Valve’s anticipated sequel left4dead II” http://left4dead2beta.com/ to receive your beta key just enter your email address and you’ll receive it in seconds!
PlexClarkerce said
how are you guys , I’ve recently found what I was looking for on absnet.wordpress.com site so far it look like a incredible penny stock pick site that I saw somewhere a while back. Ima go back to skool yay usually i’m busy and I work from home so I will check back.
hypnoticgenius said
Hi all,
New to the forum, just thought I’d introduce myself 🙂
AnnaK said
Hi, I’m Anna. My friend told me about this site so I’m just checking it out to see if I can meet new friends.
I’m a very outgoing girl, bubbly personality and I just like to enjoy life.
Hit me up if you want to cheat; I mean chat chat. You can also check out my personal website, you’ll get
to know a little more about me and my sick sense of humor. lol
********************************************************************
Get to know AnnaK
http://offto.net/annak
Empabamma said
Hello.
My computer worked slowly, many errors. Please, help me to fix errors on my PC.
I used Windows XP.
Thanks,
Empabamma
zinymegan said
Hey Guys,
I am a student (limited budget) and have seen a few offers for free ipods and iphones. Does anyone Know if any if the free IPhone or Ipod offers are actually legit? I don’t want to waste my time filling out a hundred surveys and was hoping to hear from someone who may have had some success with this.
Thanks
alerninly said
Hi
Minute ago joined this forum and looking forward to reading what is on your mind and to know investment tips each day.
Gaictella said
hello , im new to this forum. its a good place
hope im welcome 🙂
agelamitler78 said
my name is Karen, London is capital of great britain
You very very veru nice and cute
Paypecype said
Hello Everyone,
I am new member right here
I not long ago discovered this place and so far i have discovered lots of good info right here.
I’m looking forward to connecting and adding to the forum.
Tankcinknot said
This is a compiled list of go daddy promo codes our entire IT group uses.
Godaddy domain coupons:
RAD7 : 30% off .com renewal domains, as many domains as you want
RAD5 : 10% off any order
RUSH3 : $7.49 domains
RUSH1 : 10% off any order
Godaddy hosting coupns:
RUSH20 : 20% Off Hosting (1,2,3 yr accounts)
CHN1 : 10% Off Monthly hosting accounts
Based on order size:
BUCK2 : $5 off order of $30 or more
MOPOFF : $10 off order of $40 or more
BUCK15 : 15% off order of $75 or more
Unique promo codes:
BUCKSSL : $12.99 SSL ( 56% Off )
AUCTION12 : 50% Off Auction accounts
These coupons do not expire so print them.
The only thing we cannot find is a .net discount, anyone got one?
HostingMurah479 said
Hello,
I just came across to absnet.wordpress.com from yahoo and I found absnet.wordpress.com very interesting.
I wish, can make lot’s of new friend here 🙂
Spartacus said
Nice information.
Thanks
SamantaBogasus said
Hey guys,
I am Samanta and I am a full time IM. I am working on Micro Niche Websites to generate income from Adsense and Affiliate marketing.
It is an honour to be amongst all of you.
Exhagegex said
Ok… Water proof profile
SandraituTaylormd said
websites forsale
Darren Bryon said
I really like the work that has gone into making the post. I will be sure to tell my blog buddies about your content keep up the good work. Thanks