samoz

I've checked your virus description and it represents exactly what I meant with "not to be comprehensive enough". For example - on your site only one extension added to file names is specified ".ecc". However, all files on my case have added extension ".mp3". And on other sites I can see a bunch of other possible extensions. My immediate first doubt was "Am I safe enough? Does NOD really identified and without fail eliminate correct threat? What should I do immediately?" I now that now, but when you first see such an alarm and you are aware about the danger of it, you must be a little paranoid if you have important files (at least for you) on your network. Regards Samo Z.

Only that ESET sw is not very comprehensive with information about threats, that AV solution find. There are many variants of viruses around and I suppose that AV software know more that it then tell to the user (exactlly which variant is, which files, registry key is connected to it etc). In my case I got only info about Filecoder.TeslaCrypt ..., but not version. And then I had to search arround to found which version it could be, are there any chance do decrypt files, what is smart to do immediatelly (shut down) etc. So, I would like to get more specific info. I am never sure, if I am really safe and I try to check manually for files and other signs conected to different version of threats. Some other AV tools simply do this better, if not directlly at least true virus database on web site. In this latest case I was relativelly safe (regular backups) and virus did not expand from my Dropbox (at the beginnig you can not be sure and you are wondering what to do first). And I am afraid that my friends lost everything on his PC becouse of that. Regards Samo Z.

I have NOD32 on two of mine computers and a couple of days back Alert window start to continuously appearing detecting Win32/Filecoder.TeslaCrypt in my Dropbox cache hidden folder (on both computer) there was over 100 alerts all the time in different tmp files (which NOD constantly cleaned out by deletion). After I've stooped synchronization in Dropbox client alerts stopped. I started a thorough scan on all my drives (local) and the result was "clean". Two years back I gave to one of my friends a sharing link (read/write access) to one folder and sub folders in my Dropbox cloud. And now everything in this folder structure was encrypted with new file extension *.mp3 (*.jpg.mp3, *.pdf.mp3, *.mp4.mp3, ...). Original files were deleted a day ago by this friend's name (in Dropbox history) and changed files added to cloud. All this have already been synchronized (Dropbox client did that) to my computers (original files deleted and encrypted copied to local drives of my computers). In every folder in the cloud there was 3 new files containing ransom note - description what to do "Recovery + qwobe.ext" (html, txt and png file - what Rodrigo wrote above). But only png files (final worm wallpaper picture Recovery+qwobe.png) were synchronized to my local drive since NOD did not allow a html and txt file to be copied - it found threat inside. But all this files were still on the cloud. So, this is really very unpleasant and dangerous threat. Remember to check everywhere with different tools for detecting and cleaning filecoders. Stop synchronization to Dropbox (client) immediately. Then be sure your PC is clean and that worm is not active (thorough in deep scan with updated antivirus and anti-malware tool; I suggest use more of them) and do that ASAP, meanwhile turn computer off and scan it booting from external drive or remove your HD and scan it on another computer. Then check Dropbox with internet browser for new files (ransom notes typically in html, txt and png files ' TEs) in every sub-folders and for encrypted files with new extension (typically *.original ext.mp3 for TeslaCrypt v3.0). Be very cautious here, my NOD said that html and even txt files are infected. Dropbox do not scan your cloud for viruses, this is your problem and you can not do this easily. You will see if there is a threat only when you will enable synchronization again in your client and when the client will try to overwrite your local files again with potentially changed (and new) files from the cloud. So be sure before, that you have good and update antivirus app active at that time. And before you should also check all your shares allowing your friend write aces to your cloud folders and cancel it (you should also aware friends about serious threat from your cloud if it is there). Than scan thoroughly all your drives, local and network - it could be everywhere, if not a worm, encrypted file could be there. Do not forget backup drives (USB) - encrypted files could already be there if you did a backup (or mirror instead of proper backup which could be a catastrophe for your data) before you realized that you have a problem on your PC. If you use Dropbox and you have important files there, this is maybe your best chance to get something back although the files are encrypted there. Check Dropbox history (events) and find out when original files were deleted and encrypted added. Then restore prior versions of files and delete encrypted files. Check help, how you can do that (for large number of files you will probably have to ask Dropbox support to do that for you). NOD32 apparently do the yob well. However, I am still a bit disappointed since it is very unspecific and gives very poor information about versions of threat etc. Regards Samo Z.