For the past several years, Viruses have been a bane of Pranksters mainly to show off their knowledge of the inherent weaknesses in certain Operating Systems, especially the ‘Windows’.
However, a virus named ‘Cryptolocker’ is being used for the past couple of years by Criminals to extort a huge ransom from PC-Owners by threatening them with a heavy Data-loss (the estimated earnings from this crime are about $36,000 per diem). The modus operandi used by these criminals are as under:
a) Sending, as an attachment to an email, a file with double extension (e.g. ‘.pdf.exe’) which, however, looks like an Adobe file (.pdf) rather than a .exe file;
b) Taking control of ‘File-Permissions’ by a pseudo-Owner named ‘Account Unknown’ this is done at the level of main folder for the PC User (e.g. Administrator, etc) and then these Permissions are applied to all its child-folders;
c) Disabling almost all files with ‘.exe’ extension (usually used by almost all the Software Applications) even your Anti-Virus software; however, your browser and certain basic Applications that keep your PC running are, by design, not disabled (otherwise, these Criminals will not be able to communicate with you via the Net);
d) Opening the ‘writable’ files in the background (without visually opening these on the Desktop) may be with some Visual Basic script, and then:
i) changing the file ‘headers’;
ii) inserting at the very beginning of the file a Code similar to the one below:
“! c r y p t e d ! E 5 7 7 A D 4 5 9 8 5 A 0 8 B 1 A 2 C 9 5 7 C 3 D 9 3 5 F 9 F 0” followed by symbols as in any Adobe/Image file etc;
iii) encrypting the contents of the file;
iv) changing the method for deleting certain types of files affected by the virus, viz. double-click.
Probably, your PC’s information is uploaded via Adobe Updater because Acrobat is the first casualty of this virus (you are asked to re-install this Application all over again) and the capability of your Anti-Virus Application to upload files to a ‘server’ is perhaps used by this Virus to upload the information about the Names of the PC’s Users, etc.
All the Partitions (Drives) on your hard-drive are affected by the Virus; moreso, though it mainly affects the ‘writable’ files in your Documents and Settings (Windows XP) folder, yet it is not uncommon to find that some of the ‘writable’ files in the ‘Program Files’ folder have also been affected, e.g. Adobe Acrobat and Nero.
Files generally affected by encryption are:
i) .txt, .doc, .xml, .php, .pdf, .js etc
ii) .swf, and other media files like .flv and .mov
iii) image files like .jpg, .png, etc
Note : The files that are not affected are: such files as were already open on your Desktop when Virus-attack occurred, certain media files (e.g. .mp3, .wav etc), web-files (i.e. .html, .htm, .mht), files that are password-protected, files created by certain software Applications like Serif PagePlus etc.
As a result, you are unable to open and read/view/play your files. The Code above contains a Key which is probably unique for each PC, and it is also stored on a ‘live’ (online) server somewhere which may or may not belong to these Criminals.
Finally, the end-result of the virus-attack is displayed on your PC in the form of a Ransom Note it asks you to pay certain Amount (usually $200, in bitcoin etc) in order to obtain the Key for decrypting your files (decrypting may also take a few hours). You are given a short time-limit within which to deposit the said Amount, and the Amount increases manifold if the said time has elapsed. Finally, you stand to lose your Data if you don’t pay unless you have used fail-safe method of regularly burning your important data on CDs/DVDs (backup storage) like I do.
How did the attack occur:
I am using Windows XP (SP3) and Avast Free Anti Virus. Suddenly, one day, I received a Message from my Avast Anti-Virus Application that it has attached a small Note to an uploaded file whereas I had never uploaded any file that day. This was probably the stage when Cryptolocker uploaded the User’s information (User’s Account Name under ‘Documents and Settings’) and also a cryptographic key to a server online.
When Cryptolocker was still encrypting my files (silently behind the scenes) I switched off my PC not knowing anything about the ongoing Viral Attack. As a result, the Ransom Note never appeared on my Desktop.
Upon reboot, the first indication that something was amiss was given by the missing Desktop Wallpaper. When I went to My Pictures folder I found that no preview of images in this folder was available; moreso, the ‘Display Properties’ window for the Desktop (for fixing the missing Wallpaper) had also crashed. At this stage, I found that almost ALL ‘.exe’ files failed to open, including my Avast Free Anti-Virus.
When I double-clicked on some of the affected (encrypted) .js and .xml files, these files disappeared altogether.
The only hint of what was wrong was an Error Message about File Permissions when I opened the Properties window in ‘My Pictures’ folder => Security tab I found two new Account Unknown entries at the Top of the List of Owners, and these had inherited the Permissions from a higher level of folder than the one named My Pictures (i.e. from the main folder for current User under ‘My Documents and Settings). So, I first broke the chain of inheritance from parent folder, and then DELETED (one by one) the said two new Owner Accounts from the topmost folder upto ‘My Pictures’ (i.e. down to the child-folders).
To view a missing Security tab, open Folder Options in Control Panel: Click Start, and then click Control Panel. Click Appearance and Themes, and then click Folder Options. On the View tab, under Advanced settings, clear ‘Use simple file sharing [Recommended]’.
Since I was repeatedly getting an Error Message about Adobe, it was suspected that the external server connection was being established through Adobe. Hence, I DELETED Adobe Updater from the following Registry entry:
H_KEY_CURRENT_USER => Software => Microsoft => Windows => CurrentVersion => RunOnce
Thereafter I used the simple steps for restoring file association for ‘.exe’ files, and for previewing images, e.g.
i) regsvr32 %systemroot%\system32\shimgvw.dll
ii) Click Start, and then click Run. Type command.com , and then press Enter. (A DOS window opens.) Type the following:�
Press Enter after typing each line above.�
Now type/copy regedit.exe regedit.com, and then press Enter.�
Type start regedit.com and then press Enter. �
Navigate to, and select the key:
In the right pane, double-click the (Default) value.�
Delete the current value data, and then type:�
Tip: Type the characters: quote-percent-one-quote-space-percent-asterisk.�
Close Regedit utility.
Then I ran Kaspersky online Virus scan and, thereafter, my Avast Antivirus (both Quick Scan and Boot-time Scan).
Since I regularly backup my important Documents on CDs/DVDs, I restored the same on my PC from the backup storage.
Reinstalled Adobe Acrobat Application.
A few files had escaped encryption since I had switched off the PC.
The above Steps were made possible by the Search made by me on the Internet, i.e. by the contributions made by several PC-Users. However, there is URGENT need for further Research on:
i) how to prevent ‘uploading’ of your PC’s information (e.g. the User Names);
ii) how to prevent the opening of double-extension files.
Certain VBScript files can be harmful to your system (e.g. the ones that open your files, in the background, for writing). You can use the following steps to disable the execution of VBScript files:
1. Left-click My Computer.
2. Click the Tools menu.
3. Select the File Types tab.
4. Scroll and select the VBScript type.
5. Click the Delete button.
6. Select Yes to the confirmation.
7. Click OK.
Hope this helps PC-Users to protect themselves from Cryptolocker.