NOD32_user 0 Posted August 2, 2018 Share Posted August 2, 2018 Dear All I am NOD32 user in Win 7. I just visit China's website to download a pdf file. My computer is corrupted. Excel and word files are ended with .roauwhd How to clean? Please help. Also my every directory is added a file named README in txt file, showing as following. ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: hxxp://0026dh0x08403r670ge.rsda7v45tqyvqocp.onion/roauwhd Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": hxxp://0026dh0x08403r670ge.growboy.site/roauwhd hxxp://0026dh0x08403r670ge.stonere.host/roauwhd hxxp://0026dh0x08403r670ge.hellput.pw/roauwhd hxxp://0026dh0x08403r670ge.amam.space/roauwhd Note! These are temporary addresses! They will be available for a limited amount of time! README.txt Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted August 2, 2018 Administrators Share Posted August 2, 2018 The files were encrypted by Filecoder.Magniber. Most likely decryption won't be possible. Please email the following stuff to samples[at]eset.com: 1, Payment instructions 2, Logs collected with ESET Log Collector (a zip archive) 3, A couple of examples of encrypted files (ideally documents) Link to comment Share on other sites More sharing options...
NOD32_user 0 Posted August 2, 2018 Author Share Posted August 2, 2018 Thank you. Sir. I have scanned by NOD32 and find Filecoder.Magniber existed. May I delete it? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted August 2, 2018 Administrators Share Posted August 2, 2018 It should be ransomware instructions which are detected. The last variant of Magniber was seen about 10 days ago. If you've got infected recently, it should be due to having outdated modules or disabled protection (e.g. if an attacker logged in via RDP and disabled the av). However, without further logs it's impossible to tell how the infection occurred. Link to comment Share on other sites More sharing options...
NOD32_user 0 Posted August 2, 2018 Author Share Posted August 2, 2018 email is already sent to samples@eset.com Link to comment Share on other sites More sharing options...
NOD32_user 0 Posted August 2, 2018 Author Share Posted August 2, 2018 What is meaning of item 1 , Payment instructions? Link to comment Share on other sites More sharing options...
TomFace 539 Posted August 2, 2018 Share Posted August 2, 2018 (edited) 59 minutes ago, NOD32_user said: What is meaning of item 1 , Payment instructions? Whilst I cannot speak for Marcos, I would think he is referring to the "ransom" payment, as to how it was to be paid (the who, what & when...we already know why). Edited August 2, 2018 by TomFace Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 2, 2018 Share Posted August 2, 2018 Would like some details on how you were infected. Did you actually download a .pdf file and open it using for example Adobe Reader? Link to comment Share on other sites More sharing options...
NOD32_user 0 Posted August 3, 2018 Author Share Posted August 3, 2018 2 hours ago, TomFace said: Whilst I cannot speak for Marcos, I would think he is referring to the "ransom" payment, as to how it was to be paid (the who, what & when...we already know why). I do not pay "ransom" payment. Link to comment Share on other sites More sharing options...
NOD32_user 0 Posted August 3, 2018 Author Share Posted August 3, 2018 itman: Firstly, I search the stretch book in pdf format in google for this name: 酸痛拉筋解剖书.pdf Secondly, I visit this website: https://ck101.com/thread-4210452-1-1.html Thirdly, I click this website: hxxp://katfile.com/vlbmqz07mvf5 Forthly, I click a icon to download pdf. But I do not download pdf, nor open pdf. I find that it is so slow and something strange. I close all internet browsers. Finally, I find that my word and excel files in desktop is shown in white color. My computer is corrupted. Please help Please let know who do this virus. I will find someone to beat him. Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 3, 2018 Share Posted August 3, 2018 11 hours ago, NOD32_user said: Secondly, I visit this website: https://ck101.com/thread-4210452-1-1.html Thirdly, I click this website: hxxp://katfile.com/vlbmqz07mvf5 I checked both these URLS at Zscaler Zulu and VirusTotal. Both of them stated the URLs are 100% clean. Next, I checked the top level domain names at quettera.com which actually downloads and scans all files that can be downloaded from the web sites. To begin with both web sites are in the U.S. and hosted by CloudFare. As far as https://ck101.com/ goes, its 100% clean. As far as hxxp://katfile.com goes, 2 suspicious and 1 potentially suspicious file found. The two suspicious files indicate monitoring of Google activities which one would expect by the Chinese government. The potential suspicious file is most interesting in that it contains suspect javascript code as shown by the below screen shots. JavaScript code definitely looks obfuscated to me. Now if you would have upgraded to Win 10, Eset could employ AMSI to decode this script prior to memory execution. Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 3, 2018 Share Posted August 3, 2018 (edited) I will also note that if you are using IE11 as your browser, make sure it is fully patched by applying all Win Updates. This Cerber ransomware variant is known to exploit an IE11 2017 discovered vulnerability. Edited August 3, 2018 by itman Link to comment Share on other sites More sharing options...
NOD32_user 0 Posted August 4, 2018 Author Share Posted August 4, 2018 (edited) itman: Would you provide a warning message, when NOD users visit this websites: at begining with hxxp: and hxxp://katfile.com . Thank you very much. Edited August 4, 2018 by NOD32_user Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 4, 2018 Share Posted August 4, 2018 56 minutes ago, NOD32_user said: itman: Would you provide a warning message, when NOD users visit this websites: at begining with hxxp: and hxxp://katfile.com . That is up to Eset to do. In the meantime, you can do so manually. Add the URL in the format of *.katfile.com/* to the existing URL block list in Eset's Internet Protection -> Web Access section. Link to comment Share on other sites More sharing options...
Recommended Posts