|
Malware of the family Trojan-Ransom.Win32.Xorist is designed for unauthorized modification of data on a victim computer. It makes computers uncontrollable or blocks its normal performance. After taking the data as a “hostage” (blocking it), a ransom is demanded from the user.
The victim is supposed to deliver the ransom to the pirate, who is promising to send in return a program which would release the data or restore normal performance of the computer.
There is a utility to confront malware of the family Trojan-Ransom.Win32.Xorist.a-l - XoristDecryptor.exe.
Disinfection of an infected system
- Download the archive XoristDecryptor.zip.
Extract its contents using an archiver program, WinZip for example.
- Execute the file XoristDecryptor.exe.
If you run the utility without any switches, it searches for the key used to encrypt the data. As soon as the key is found, it is used to decrypt all files.
Additional command line switches:
-l <file_name> - log file name.
-y – close the window after the utility work is over.
Signs of infection
- The user is displayed with messages demanding to send an SMS to decrypt the files. The text is in Cyrillic, so it possible that you will see some hieroglyphic symbols instead.
- Another sign is presence of a file named “Прочти Меня - как расшифровать файлы” on disk C.
.jpg)
- There is a file in the folder Windows named CryptLogFile.txt.
The trojan program encrypts all files with the following extensions:
doc,xls,docx,xlsx,db,mp3,waw,jpg,jpeg,txt,rtf,pdf,rar,zip,psd,msi,tif,wma,lnk,gif,bmp,ppt,pptx,docm,xlsm, pps,ppsx,ppd,tiff,eps,png,ace,djvu,xml,cdr,max,wmv,avi,wav,mp4,pdd,
html,css,php,aac,ac3,amf,amr,mid,midi,mmf,mod,mp1,mpa,mpga,mpu,nrt,oga,ogg,pbf,ra,ram,raw,saf,val,wave,wow,wpk,3g2,3gp,3gp2,3mm,amx,avs,bik,bin,dir,divx,dvx,evo,
flv,qtq,tch,rts,rum,rv,scn,srt,stx,svi,swf,trp,vdo,wm,wmd,wmmp,wmx,wvx,xvid,3d,3d4,3df8,pbs,adi,ais,amu,arr,bmc,bmf,cag,cam,dng,ink,jif,jiff,jpc,jpf,jpw,mag,mic,mip,msp,nav,
ncd,odc,odi,opf,qif,qtiq,srf,xwd,abw,act,adt,aim,ans,asc,ase,bdp,bdr,bib,boc,crd,diz,dot,dotm,dotx,dvi,dxe,mlx,err,euc,faq,fdr,fds,gthr,idx,kwd,lp2,ltr,man,mbox,msg,nfo,now,odm,
oft,pwi,rng,rtx,run,ssa,text,unx,wbk,wsh,7z,arc,ari,arj,car,cbr,cbz,gz,gzig,jgz,pak,pcv,puz,r00,r01,r02,r03,rev,sdn,sen,sfs,sfx,sh,shar,shr,sqx,tbz2,tg,tlz,vsi,wad,war,xpi,z02,z04,zap,
zipx,zoo,ipa,isu,jar,js,udf,adr,ap,aro,asa,ascx,ashx,asmx,asp,aspx,asr,atom,bml,cer,cms,crt,dap,htm,moz,svr,url,wdgt,abk,bic,big,blp,bsp,cgf,chk,col,cty,dem,elf,ff,gam,grf,h3m,
h4r,iwd,ldb,lgp,lvl,map,md3,mdl,mm6,mm7,mm8,nds,pbp,ppf,pwf,pxp,sad,sav,scm,scx,sdt,spr,sud,uax,umx,unr,uop,usa,usx,ut2,ut3,utc,utx,uvx,uxx,vmf,vtf,w3g,w3x,wtd,wtf,ccd,
cd,cso,disk,dmg,dvd,fcd,flp,img,iso,isz,md0,md1,md2,mdf,mds,nrg,nri,vcd,vhd,snp,bkf,ade,adpb,dic,cch,ctt,dal,ddc,ddcx,dex,dif,dii,itdb,itl,kmz,lcd,lcf,mbx,mdn,odf,odp,ods,pab,
pkb,pkh,pot,potx,pptm,psa,qdf,qel,rgn,rrt,rsw,rte,sdb,sdc,sds,sql,stt,t01,t03,t05,tcx,thmx,txd,txf,upoi,vmt,wks,wmdb,xl,xlc,xlr,xlsb,xltx,ltm,xlwx,mcd,cap,cc,cod,cp,cpp,cs,csi,dcp,
dcu,dev,dob,dox,dpk,dpl,dpr,dsk,dsp,eql,ex,f90,fla,for,fpp,jav,java,lbi,owl,pl,plc,pli,pm,res,rnc,rsrc,so,swd,tpu,tpx,tu,tur,vc,yab,8ba,8bc,8be,8bf,8bi8,bi8,8bl,8bs,8bx,8by,8li,
aip,amxx,ape,api,mxp,oxt,qpx,qtr,xla,xlam,xll,xlv,xpt,cfg,cwf,dbb,slt,bp2,bp3,bpl,clr,dbx,jc,potm,ppsm,prc,prt,shw,std,ver,wpl,xlm,yps.
|
197 
2009 Nov 12 16:51
