New ransomware called Anti-Child Porn Spam Protection or ACCDFISA

A new variant of the Malware Protection ransomware has been released called Anti-Child Porn Spam Protection. This ransomware pretends to be from a legitimate government organization that states that the infected computer is sending out SPAM that contains links to child pornography sites. The ransom program then states that in order protect yourself, and others, it has encrypted your data using Advanced Encryption Standards, or AES, encryption. Just like the Malware Protection and the ACCDFISA Protection Program variants, these files are not actually encrypted but are password protected RAR files. The hackers then require you to send them a Moneypak, PaySafeCard, or Ukash card for values ranging from $500 - 1,000 USD in order to get the password for your files.

 

When first run, this program will scan your computer for data files and convert them to password protected RAR .exe files. These password protected data files will be named in a format similar to test.txt(!! to decrypt email id 712113261 to security11220@gmail.com !!).exe. It will then use Sysinternal's SDelete to delete the original files in such a way that they cannot be undeleted using file recovery tools. It will also set a Windows Registry Run entry to start c:\dvsdlk\svchost.exe when your computer starts. This program is launched immediately when you logon and blocks access to your Windows environment. If you boot your computer using a Windows Recovery disk or another offline recovery CD, you can delete or rename the c:\dvsdlk\svchost.exe file in order to regain access to your Windows Desktop. This "lockout" screen will also prompt you to send the hackers the ransom in order to get a passcode for the system lockout screen and for your password protected files.The files that this infection creates when it is installed are:

c:\Documents and Settings\All Users\Desktop\fvd31234.bat
c:\Documents and Settings\All Users\Desktop\fvd31234.txt
c:\dvsdlk\svchost.exe
c:\ProgramData\rbnedwdels\svchost.exe
c:\ProgramData\sgcvsap\svchost.exe
c:\ProgramData\tcvedwdcv\ghzsrwhbfg.dlls
c:\ProgramData\tcvedwdcv\udsjaqsksw.dlls
c:\ProgramData\thcgds\dkpslqhnsoa.dll
c:\ultimatedecrypter\dc.exe
c:\WINDOWS\system32\cfwin32.dll
c:\WINDOWS\system32\csrss32.dll
c:\WINDOWS\system32\csrss64.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe

The Anti-Child Porn Spam Protection ransomware will also create a Windows service with a service name of fdPHosts, a display name of Function Discovery Provider Host Records, and a imagepath of C:\WINDOWS\system32\svschost.exe. This service will run in the background created password-protected copies of new data files that are created on the computer and then delete the originals. Therefore, once you regain access to your computer you should immediately disable this service.Unfortunately, at this time there is no method to create the passcodes, though one may be created in the future.

---

Update: 4/17/12

This ransomware has been updated today.It still uses the name Anti-Child Porn Spam Protection, but uses some different file names and service names.

The new Windows service that is created is the NIaSvc, with a display name Network Locatlon Awareness and a imagepath of C:\WINDOWS\system32\svschost.exe.

The files that are installed with this variant are:

c:\dc.exe
c:\svchost.exe
c:\Documents and Settings\All Users\Desktop\.bat
c:\Documents and Settings\All Users\Desktop\.txt
c:\ProgramData\.bat
c:\ProgramData\.dll
c:\ProgramData\.dll.dlls
c:\ProgramData\.dlls
c:\ProgramData\svchost.exe
c:\WINDOWS\system32\cfwin32.dll
c:\WINDOWS\system32\csrss32.dll
c:\WINDOWS\system32\csrss64.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe

Update 03/13/2013

There may be a way to recover your decryption password. Please follow the steps in this post.

Edited by Grinler, 13 March 2013 - 08:48 AM.
Possible way to decrypt passwords

How does it infect our systems? Are there sites to avoid, or is it infecting systems via e-mail? Any news for preventing this would be greatly appreciated Grinler, as for now, I think BCC is where I'll be camping until someone figures out the how and the where.

From what we know, those infected are directly hacked by the malware author.

that is a nasty virus

Hi,
I fear that this sort of thing will become more prevalent in the future.

This is just another reason why the computer should be backed up as well the backup not be left online for the malware to also encrypt.

I notice that the Rogue.FakeVimes family seems to be very active with new versions.

Best Regards
Roger

I'm loving the whole "Don't even try to remove this" bits. I actually giggled reading the whole thing. You can tell (well it's obvious to me) that they've never taken a college english class their entire life. BIG CLUE THERE!

Hi all, and specially hello to Fabian

Im the author.

Guys, I have considered my previous mistakes and wrote new unbleepable version.

and im answer for some your questions:

>Unfortunately, at this time there is no method to create the passcodes, though one may be created in
the future.

Yes, may be in the future, after
~66,282,862,563,751,221,625,826,507,369,649,000,000,000,000,000,000,000,000 years

Now password wich has been sended to us has been deleted using sdelete (in previsious using simple
delete and you can recover it in some cases and then generated passcode to decrypt).

To decrypt second part of files (minimal part) here is using another password (yes, Fabian can make
generated it, but it cant help)

Trying to catch password from process monitor? Yes, you can but it will be second password for
minimal part of files. First Password are succesefully sended to us and SDELETED. You cant catch it
using procmon because your screen locked Locker is used for protect this After screen unlocked
there is another password (it sdelete original password after decrypt majority files, you cant catch
this moment NEVER, beacause it sdeleted from HDD before reboot(it does not matter is this cold or hot
reboot) (password is in memory when decrypting files) and to delete screen locker you must reboot in
any ways).

Also first password is generated randomly. Unable to generate same in any ways.

sample of first password: s#u_1kEWt=dGo4qLf*vkEDPdOvkvTSVHu_1rWnd2ah=TSd&(Tu
sample of second password: Fww*wrFwVFwwL$wqr*FwwL$wqr*

Your files wich has been encrypted has been deleted using Sdelete also. (and backups has been deleted
using Sdelete also).

SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give
you confidence that once deleted with SDelete, your file data is gone forever.

read official doc here: http://technet.microsoft.com/en-us/sysinternals/bb897443

Im interesting how do you going to get this password? This is UNREAL

The password is 50 characters long using 77 sybmols including letters,numbers and special symbols.

This is 77 to 50 degrees and this is 211123345230697322404794315881e+94 combinations.
To bruteforce if your brute software brute 10000 passwords per second it will be take up to:
65687022485656026733869199236174e+86 years.

Use your brain and calc.exe if you dont believe me.

Possible when the aliens arrive, they decipher your files using the blasters

About: these files are not actually encrypted but are password protected RAR files.

And what encrytion using winrar? - Answer: AES. Google it.

>I'm loving the whole "Don't even try to remove this" bits. I actually giggled reading the whole thing.
You can tell (well it's obvious to me) that they've never taken a college english class their entire
life. BIG CLUE THERE!

LOL About my english - sorry Im from Mars. Marsians attacks Piu Piu

And im using big chain of servers to work and writing here. You will never know from wich country acctually im.

Edited by accdfisa, 09 April 2012 - 04:26 PM.

Wait for a miracle until someone decrypt your files, and after 48 hours get a penalty for 1000$, and
after 96 hours report to FBI with password (third password) to spam software and child porn files on
your computer. Specially to dumbass who dont want to pay penalty and thinking that superman arrives and helps all(how i am writing above this is unreal to decrypt even for superman) But it will be FBI and not a superman.

Remember distributing Child Porn is very BAD! Dont distibute it, or protect your computers from hackers who so easy hacking your computers and spamming.

500$-1000$ This is penalty for your negligence!

Edited by accdfisa, 09 April 2012 - 05:44 PM.

I'm loving the whole "Don't even try to remove this" bits. I actually giggled reading the whole thing. You can tell (well it's obvious to me) that they've never taken a college english class their entire life. BIG CLUE THERE!

avarage joe wouldn't notice this bad language ,avarage joe falls for phone call from fake Microsoft rep,telling them they got a virus on there computer ,and gives caller access to the computer ,and then pays hundreds of dollars with a credit card to remove fake virus ,go figure

One of our servers just got this. We got the virus out but have many files that are winrared with a password. Anyone have a solution yet or suggestions on how to get the data back.

One of our servers just got this. We got the virus out but have many files that are winrared with a password. Anyone have a solution yet or suggestions on how to get the data back.

Here is only one solution - send us 500$ moneypak code. 48 hours will end soon, and the cost rises to 1000$
Send Id and Moneypak code to email security11220@gmail.com

Edited by accdfisa, 10 April 2012 - 03:34 PM.

Techpro, do you have any reliable backups?

Techpro, do you have any reliable backups?

Unfortunately online backup stop working a year ago. No backups....

Techpro, do you have any reliable backups?

Unfortunately online backup stop working a year ago. No backups....

sorry wrong train of thought on my part

Edited by caperjac, 10 April 2012 - 06:59 PM.

Surak, I removed your post. We do not encourage people to pay the ransom. This is a person who hacked your servers and ransomed your data. I personally wouldn't trust them.