Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

New ransomware called Anti-Child Porn Spam Protection or ACCDFISA


  • Please log in to reply
328 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,051 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:04 PM

Posted 08 April 2012 - 06:42 PM

Important Information!

Update 03/13/13: A method may be available to generate the decryption password for your files. For more information please see this post:

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection/?p=3001838


A new variant of the Malware Protection ransomware has been released called Anti-Child Porn Spam Protection. This ransomware pretends to be from a legitimate government organization that states that the infected computer is sending out SPAM that contains links to child pornography sites. The ransom program then states that in order protect yourself, and others, it has encrypted your data using Advanced Encryption Standards, or AES, encryption. Just like the Malware Protection and the ACCDFISA Protection Program variants, these files are not actually encrypted but are password protected RAR files. The hackers then require you to send them a Moneypak, PaySafeCard, or Ukash card for values ranging from $500 - 1,000 USD in order to get the password for your files.

 

Anti-Child Porn Spam Protectionscreen shot
Click to see full screen of the Anti-Child Porn Spam Protection Ransomware


When first run, this program will scan your computer for data files and convert them to password protected RAR .exe files. These password protected data files will be named in a format similar to test.txt(!! to decrypt email id 712113261 to security11220@gmail.com !!).exe. It will then use Sysinternal's SDelete to delete the original files in such a way that they cannot be undeleted using file recovery tools. It will also set a Windows Registry Run entry to start c:\dvsdlk\svchost.exe when your computer starts. This program is launched immediately when you logon and blocks access to your Windows environment. If you boot your computer using a Windows Recovery disk or another offline recovery CD, you can delete or rename the c:\dvsdlk\svchost.exe file in order to regain access to your Windows Desktop. This "lockout" screen will also prompt you to send the hackers the ransom in order to get a passcode for the system lockout screen and for your password protected files.The files that this infection creates when it is installed are:

c:\Documents and Settings\All Users\Desktop\fvd31234.bat
c:\Documents and Settings\All Users\Desktop\fvd31234.txt
c:\dvsdlk\svchost.exe
c:\ProgramData\rbnedwdels\svchost.exe
c:\ProgramData\sgcvsap\svchost.exe
c:\ProgramData\tcvedwdcv\ghzsrwhbfg.dlls
c:\ProgramData\tcvedwdcv\udsjaqsksw.dlls
c:\ProgramData\thcgds\dkpslqhnsoa.dll
c:\ultimatedecrypter\dc.exe
c:\WINDOWS\system32\cfwin32.dll
c:\WINDOWS\system32\csrss32.dll
c:\WINDOWS\system32\csrss64.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe


The Anti-Child Porn Spam Protection ransomware will also create a Windows service with a service name of fdPHosts, a display name of Function Discovery Provider Host Records, and a imagepath of C:\WINDOWS\system32\svschost.exe. This service will run in the background created password-protected copies of new data files that are created on the computer and then delete the originals. Therefore, once you regain access to your computer you should immediately disable this service.Unfortunately, at this time there is no method to create the passcodes, though one may be created in the future.




Update: 4/17/12

This ransomware has been updated today.It still uses the name Anti-Child Porn Spam Protection, but uses some different file names and service names.

The new Windows service that is created is the NIaSvc, with a display name Network Locatlon Awareness and a imagepath of C:\WINDOWS\system32\svschost.exe.

The files that are installed with this variant are:

c:\dc.exe
c:\svchost.exe
c:\Documents and Settings\All Users\Desktop\.bat
c:\Documents and Settings\All Users\Desktop\.txt
c:\ProgramData\.bat
c:\ProgramData\.dll
c:\ProgramData\.dll.dlls
c:\ProgramData\.dlls
c:\ProgramData\svchost.exe
c:\WINDOWS\system32\cfwin32.dll
c:\WINDOWS\system32\csrss32.dll
c:\WINDOWS\system32\csrss64.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe

Update 03/13/2013

There may be a way to recover your decryption password. Please follow the steps in this post.


Edited by Grinler, 13 March 2013 - 08:48 AM.
Possible way to decrypt passwords


BC AdBot (Login to Remove)

 


#2 Sani-T-Capt1

Sani-T-Capt1

  •  Avatar image
  • Members
  • 559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Planet Earth
  • Local time:12:04 AM

Posted 08 April 2012 - 09:20 PM

How does it infect our systems? Are there sites to avoid, or is it infecting systems via e-mail? Any news for preventing this would be greatly appreciated Grinler, as for now, I think BCC is where I'll be camping until someone figures out the how and the where. :angry: :angry:
Either We Learn to Live Together as People, Or Die Apart as Fools !


Ignorance ISN'T Bliss, It's Just "IGNORANCE"!!

#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,051 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:04 PM

Posted 09 April 2012 - 09:22 AM

From what we know, those infected are directly hacked by the malware author.

#4 Allen

Allen

  •  Avatar image
  • Members
  • 342 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:01:04 AM

Posted 09 April 2012 - 11:40 AM

that is a nasty virus
Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#5 rotor123

rotor123

  •  Avatar image
  • Helper Emeritus
  • 8,095 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:04 AM

Posted 09 April 2012 - 12:20 PM

Hi,
I fear that this sort of thing will become more prevalent in the future.

This is just another reason why the computer should be backed up as well the backup not be left online for the malware to also encrypt.

I notice that the Rogue.FakeVimes family seems to be very active with new versions.

Best Regards
Roger

Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


#6 ITGeekGirl

ITGeekGirl

  •  Avatar image
  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:11:04 PM

Posted 09 April 2012 - 03:01 PM

I'm loving the whole "Don't even try to remove this" bits. I actually giggled reading the whole thing. You can tell (well it's obvious to me) that they've never taken a college english class their entire life. BIG CLUE THERE!

#7 accdfisa

accdfisa

  •  Avatar image
  • Banned
  • Member rank image
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 PM

Posted 09 April 2012 - 04:13 PM

Hi all, and specially hello to Fabian :)

Im the author.

Guys, I have considered my previous mistakes and wrote new unbleepable version.

and im answer for some your questions:

>Unfortunately, at this time there is no method to create the passcodes, though one may be created in
the future.

Yes, may be in the future, after
~66,282,862,563,751,221,625,826,507,369,649,000,000,000,000,000,000,000,000 years

Now password wich has been sended to us has been deleted using sdelete (in previsious using simple
delete and you can recover it in some cases and then generated passcode to decrypt).

To decrypt second part of files (minimal part) here is using another password (yes, Fabian can make
generated it, but it cant help)

Trying to catch password from process monitor? :) Yes, you can but it will be second password for
minimal part of files. First Password are succesefully sended to us and SDELETED. You cant catch it
using procmon because your screen locked :) Locker is used for protect this :) After screen unlocked
there is another password (it sdelete original password after decrypt majority files, you cant catch
this moment NEVER, beacause it sdeleted from HDD before reboot(it does not matter is this cold or hot
reboot) (password is in memory when decrypting files) and to delete screen locker you must reboot in
any ways).

Also first password is generated randomly. Unable to generate same in any ways.

sample of first password: s#u_1kEWt=dGo4qLf*vkEDPdOvkvTSVHu_1rWnd2ah=TSd&(Tu
sample of second password: Fww*wrFwVFwwL$wqr*FwwL$wqr*

Your files wich has been encrypted has been deleted using Sdelete also. (and backups has been deleted
using Sdelete also).

SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give
you confidence that once deleted with SDelete, your file data is gone forever.

read official doc here: http://technet.microsoft.com/en-us/sysinternals/bb897443

Im interesting how do you going to get this password? This is UNREAL :)

The password is 50 characters long using 77 sybmols including letters,numbers and special symbols.

This is 77 to 50 degrees and this is 211123345230697322404794315881e+94 combinations.
To bruteforce if your brute software brute 10000 passwords per second it will be take up to:
65687022485656026733869199236174e+86 years.

Use your brain and calc.exe if you dont believe me.

Possible when the aliens arrive, they decipher your files using the blasters :)

About: these files are not actually encrypted but are password protected RAR files.

And what encrytion using winrar? - Answer: AES. Google it.

>I'm loving the whole "Don't even try to remove this" bits. I actually giggled reading the whole thing.
You can tell (well it's obvious to me) that they've never taken a college english class their entire
life. BIG CLUE THERE!

LOL :) About my english - sorry Im from Mars. Marsians attacks :) Piu Piu :)

And im using big chain of servers to work and writing here. You will never know from wich country acctually im.

Edited by accdfisa, 09 April 2012 - 04:26 PM.


#8 accdfisa

accdfisa

  •  Avatar image
  • Banned
  • Member rank image
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 PM

Posted 09 April 2012 - 05:33 PM

Wait for a miracle until someone decrypt your files, and after 48 hours get a penalty for 1000$, and
after 96 hours report to FBI with password (third password) to spam software and child porn files on
your computer. Specially to dumbass who dont want to pay penalty and thinking that superman arrives and helps all(how i am writing above this is unreal to decrypt even for superman) But it will be FBI and not a superman.

Remember distributing Child Porn is very BAD! Dont distibute it, or protect your computers from hackers who so easy hacking your computers and spamming.

500$-1000$ This is penalty for your negligence!

Edited by accdfisa, 09 April 2012 - 05:44 PM.


#9 caperjac

caperjac

  •  Avatar image
  • Members
  • 1,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NS. CAN
  • Local time:01:04 AM

Posted 10 April 2012 - 12:07 PM

I'm loving the whole "Don't even try to remove this" bits. I actually giggled reading the whole thing. You can tell (well it's obvious to me) that they've never taken a college english class their entire life. BIG CLUE THERE!

avarage joe wouldn't notice this bad language ,avarage joe falls for phone call from fake Microsoft rep,telling them they got a virus on there computer ,and gives caller access to the computer ,and then pays hundreds of dollars with a credit card to remove fake virus ,go figure

My answers are my opinion only,usually


#10 Techpro6323

Techpro6323

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 10 April 2012 - 01:51 PM

One of our servers just got this. We got the virus out but have many files that are winrared with a password. Anyone have a solution yet or suggestions on how to get the data back.

#11 accdfisa

accdfisa

  •  Avatar image
  • Banned
  • Member rank image
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 PM

Posted 10 April 2012 - 03:32 PM

One of our servers just got this. We got the virus out but have many files that are winrared with a password. Anyone have a solution yet or suggestions on how to get the data back.

Here is only one solution - send us 500$ moneypak code. 48 hours will end soon, and the cost rises to 1000$
Send Id and Moneypak code to email security11220@gmail.com

Edited by accdfisa, 10 April 2012 - 03:34 PM.


#12 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,051 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:04 PM

Posted 10 April 2012 - 03:49 PM

Techpro, do you have any reliable backups?

#13 Techpro6323

Techpro6323

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 10 April 2012 - 04:23 PM

Techpro, do you have any reliable backups?


Unfortunately online backup stop working a year ago. No backups....

#14 caperjac

caperjac

  •  Avatar image
  • Members
  • 1,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NS. CAN
  • Local time:01:04 AM

Posted 10 April 2012 - 06:52 PM


Techpro, do you have any reliable backups?


Unfortunately online backup stop working a year ago. No backups....



sorry wrong train of thought on my part

Edited by caperjac, 10 April 2012 - 06:59 PM.

My answers are my opinion only,usually


#15 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,051 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:04 PM

Posted 11 April 2012 - 11:45 AM

Surak, I removed your post. We do not encourage people to pay the ransom. This is a person who hacked your servers and ransomed your data. I personally wouldn't trust them.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users