RSA-4096 virus

[doctorWho 0]

My wife's pc at work is infected with RSA-4096 virus for about a month. I am not sure what was the antivirus solution used at that time. A technician tried to fix it but, as he said, till now there is no better solution than format. I want to ask if Nod32 can clean the computer from the virus or, at least, if Nod32 can help her save her files.

[Marcos 5,074]

It depends on what type / variant of Filecoder encrypted the files. If she has a license for ESET, have her run a full disk scan and post here the scan results so that we know what was detected.

[doctorWho 0]

It depends on what type / variant of Filecoder encrypted the files. If she has a license for ESET, have her run a full disk scan and post here the scan results so that we know what was detected.

She does not know if the company's tech person has any spare license, seh does not anything about it. If not, will the trial version do the job? Can I borrow her my license for only one scan?

 

EDIT: after scanning, is there a way to save results in a file?

Edited January 12, 2016 by doctorWho

[Marcos 5,074]

She can activate a trial version after install, however, if decryption of the files was possible it'd be necessary to purchase a license as assisted cleaning and decryption are provided as an extra service.

[jcwrks 2]

Assuming your system restore points aren't hosed you can try shadowexplorer to recover files before the infection date. If that fails you could search for a tesladecrypt tool that works with your particular variant of the malware.

[doctorWho 0]

Hello again!! As the technician seems to be unable to do something to help, I told my wife to forward the mail to my mail account. I used Acronis true Image to back my laptop's disk sector by sector and then I opened the mail with the virus. I wanted to infect the laptop in order to be able to give you accurate info, log etc for the virus. The mail has an attached zip file containing only a .js file. I ran it and nothing happened. With right click I opened the properties, In the General tab I checked the Unlock radio button (It was saying "the file came from another computer and might be blocked to help protect this computer"), pressed Apply and tried again. I ran it many times and nothing happened. I uninstalled nod32 version 8, rebooted and ran it again. Nothing happens. My laptop cannot be infected? Why? My wife's pc has windows XP. My laptop has windows 7. Is it the reason for not getting infected?

[Marcos 5,074]

If the js file is malicious and can be actually loaded without errors, most likely it's a downloader with links that do not work any more. As a result, running it wouldn't do anything bad. You can submit the js file to Virustotal to find out how other scanners detect it. I assume it will be detected by ESET as well.

[doctorWho 0]

Here is the report from VirusTotal. Nod32 is not detecting it.

 

https://www.virustotal.com/el/file/d133f70b8c784de760c3a949cf9a6b24708812a62607a5e18f7fcc8721c3333c/analysis/1454588471/

[doctorWho 0]

I made it!!  My wife sent me via mail two encrypted files. I used TeslaDecoder from here: hxxp://download.bleepingcomputer.com/BloodDolly/TeslaDecoder.zip  and followed the instructions from "Instructions.html" which is inside the zip file of the TeslaDecoder. In an hour (with my pour 3GHz 4-core AMD cpu) I managed to find the key needed to decrypt these files.

Thank you my friend jcwrks !!!

[safety 8]

My wife's pc at work is infected with RSA-4096 virus for about a month. I am not sure what was the antivirus solution used at that time. A technician tried to fix it but, as he said, till now there is no better solution than format. I want to ask if Nod32 can clean the computer from the virus or, at least, if Nod32 can help her save her files.

 

@doctorWho

 

We had to immediately specify the extension of the encrypted files.

If it was * .vvv, then at this point, ESET has been the solution for decoding. But like BloodDolly.