Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

HowDecrypt or CryptorBit Encrypting Ransomware - $500 USD Ransom Topic


  • Please log in to reply
1760 replies to this topic

#16 Quads

Quads

  •  Avatar image
  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:04:25 PM

Posted 28 December 2013 - 09:47 PM

Are you also able to double check with virustotal  the file mlhl.exe  to see what comes back as results


Edited by Quads, 28 December 2013 - 09:48 PM.


BC AdBot (Login to Remove)

 


#17 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,051 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:25 PM

Posted 28 December 2013 - 10:58 PM

Grinler, what do you mean by "infected files"?
 
I have a backup version of many clean files (before infection) and a version of the same files after infection.
I also can retrieve the mlhl.exe that probably did the whole mess. The Trojan was found in that file.
 
The size of each infected file is 0.5KB more of than the size of its clean file.
I opened an xlsx file with a Hex Editor and found that a number of bytes were added at the start and at the end of the file, whereas a number of bytes were deleted.


We are looking for the infection files that actually encrypt the files.

#18 stavrino

stavrino

  •  Avatar image
  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 29 December 2013 - 02:40 PM

OK. More details about this Trojan and how a computer in our lab got infected by a student.
I searched all the log files and history and found out the following (I followed the same steps later in order to be sure that this was the way he got infected):
 
1. He visited the link hXXp://debonairerotica.pornblogy.com/front-lift-bleep.html
2. Then he joined hXXp://63496c2e.galleries.bz/ from the above page.
3. At the new page a pop-up window appears in order to download an FLV Player, so he pressed the "Click here to start downloading" link and downloaded and installed the FLVPlayerSetup-d48Yg73.exe file.
4. The infection started after the first reboot of the PC.
5. The antivirus (Symantec) was running! However if you try to start a scan it says that "Another scan is in progress. Your scan will be queued if you want to continue with the scan." !!!
6. It is easy to remove the threat (even with Symantec, but you have to re-install it). However you cannot restore the "decrypted" files that have been influenced.
7. It is sure that we are not talkning about a real decryption. You cannot decrypt thousands of files in less than 15 minutes! I would call it "editing files" than "decrypting files".
 
 
Mod Edit... Broke link to possible dangerous files. ~~ boopme

Edited by boopme, 29 December 2013 - 03:12 PM.


#19 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  •  Avatar image
  • Admin
  • 45,051 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:25 PM

Posted 30 December 2013 - 10:19 AM

Thanks .. will see if I can use that info to find the infector.

#20 TheAlexPanther

TheAlexPanther

  •  Avatar image
  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 30 December 2013 - 02:02 PM

So it mean no way for get back the clean files decrypted ?   :luke:



#21 TheAlexPanther

TheAlexPanther

  •  Avatar image
  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 02 January 2014 - 02:20 PM

I did check all the video files crypted, all of them start in a common head of a video flv ; exatly all first 500 byte of this video file is like edited in every else flv( other format i dont know) If so i dont know how them can decrypt the files. But i dont have knowhout for say this.  Can be same help ? I did use xvi32 editor.

Thanks   



#22 IOvei

IOvei

  •  Avatar image
  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 02 January 2014 - 05:31 PM

OK, I've got some useful information I think...

 

After reading through this thread last night I sort of realized something that I had been thinking for quite a while, that the files weren't encrypted, but had somehow been modified. THe answer I believe is that the virus uses a hex editor of one kind or another and does the following: Replaces the first ~20 lines of code in any given file, and also: Adds 32 lines of extras at the end of the file.

 

I know this because I was able to open a before and after comparison of numerous files in HxD and compare them, and by copying and replacing the first 20 lines, (I'm not sure of the actual number, it is everything before 200 I think) and then deleting the last 32 lines (that is an exact number) I was able to then save and open all files I attempted this on. (Including jpegs, .dwg files, .xlsx files and others.) Because I had some files that were created after the most recent usable backup was available I had a problem: What do I put in those first 20 lines of code that was overwritten to make it work?? The answer was to take a sample from an identical type of file and replace it with that. (In other words: 20 lines from an xlsx doc that isn't actually related to the one that is "encrypted" instead of from the same doc itself.) Once again I have been able to open every file I have tried this on, and they appear to be completely intact.

 

So what we need know is someone who can write a script to replace those first 20 lines of code, and delete the last 32 lines of code, for any file that has been affected.

 

Hopefully this helps in some way or another!!

 

Cheers,

dce



#23 stavrino

stavrino

  •  Avatar image
  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 05 January 2014 - 12:41 PM

I agree with IOvei. I was trying to recover an infected jpg file with EXIF segment and I found out these:

 

1. The last 512 bytes (200 in Hex) must be deleted. They were added by howdecrypt.

 

2. The first 512 bytes (200 in Hex, from Offset 0 to Offset 199) have been edited by howdecrypt (it adds its own same "header" to all files). These bytes must be replaced by the first 512 bytes of another (not infected) jpg with EXIF segment.

 

3. The problem then is with the bytes: Offset 4 and Offset 5. These two bytes indicate the length of the APP0 or APP1 block. They must be corrected for the infected file, since they are not the same with the ones copied from the "not infected" jpg.

 

Does anyone know how to calculate the length of the APP1 block of a jpg file if these 2 bytes are wrong?



#24 stavrino

stavrino

  •  Avatar image
  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 05 January 2014 - 02:30 PM

I followed the above steps in other files too (doc, xls, pdf), since the changes "Howdecrypt" did are exactly the same in every file.

Unfortunately, none of them was recovered. It seems that these 512 first bytes of the files are not a typical "header" that can be replaced by another "header" of a clean file.

 

However, I think that jpg files (e.g. photos from a camera) can be recovered if:

a. you have a clean jpg photo from the same camera

b. you can calculate the length of the APP1 block of the jpg in order to edit bytes Offset 4 and Offset 5

 

Any ideas?


Edited by stavrino, 05 January 2014 - 02:30 PM.


#25 dbsd

dbsd

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 05 January 2014 - 04:10 PM

I was able to recover a .docx file by removing the tail end and replacing the header.  When I opened the file, word detected that there was an error and recovered the document.

 

Edit: Alternatively you can try 'Shadow Explorer' and recover some of your files, as it allows you to export the shadow copies/previous versions of your documents/photos/files if you had that service running on your machine at the time.


Edited by dbsd, 05 January 2014 - 04:16 PM.


#26 gkokos

gkokos

  •  Avatar image
  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 05 January 2014 - 07:06 PM

Hello all,

 

I have the same virus, hit me 5 days ago. Let me know if I can be of help.

 

Thanks///gkokos



#27 vaso

vaso

  •  Avatar image
  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 06 January 2014 - 08:02 AM

hi i just submited form the quarantine of my friend who was infected with this malware the 2 exe files of it.....i uploaded them on the link that was given in the first post.....the names of the 2 files are bljs.rar and ugrplo.rar......please have a look at them and please help us.....thanks



#28 flydawg

flydawg

  •  Avatar image
  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 AM

Posted 19 January 2014 - 11:18 AM

Hi Bleep Bleep and all others in this thread. Thanks for all advice.

Here's what I've found and wish I could get more help!:

I've downloaded HxD and opened one of the "encrypted" jpeg files and..

 

I've completely deleted all information above FF D8 and all below FF D9

the picture is now visable and in tact .. but thumbnail size. Although the file size is still large. (over 1meg)

what am I missing?

Thanks again!!



#29 flydawg

flydawg

  •  Avatar image
  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 AM

Posted 20 January 2014 - 06:24 PM

So, I see I still have a lot to learn about jpegs.

each camera writes differently. As well the thumbnail is included within the file.

So, are these files encrypted? If not it would seem to me that even the encryptor could not decipher after over writting the first 512 bytes as the picture is propriatary to it generator.

I wonder if someone would send me a picture or other encrypted file as the first 512 seems to be identical no matter what the file type is. I think above being an ass, this person is a genious and I wonder just how much $$ he's recieved. also, someone out there has to be smarter than that and write a batch fix, if it's possible!!

 

(forgive typos & ignorance) thanks!



#30 flydawg

flydawg

  •  Avatar image
  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:25 AM

Posted 22 January 2014 - 05:25 PM

Dear Lawrence,

I'm a NIM ROD. I don't know what I'm doing.

I've found as others found that the first 512 bytes of our "encrypted" files are nothing but nothing that doesn't mean a thing. (it is the same as found in all encryted files)

But the last 512 bytes must have the key as these are not the same in any file.

So that being said, is this the encryption of the first 512 bytes? How does it work?

Please help me in my journey of decrypting the last 20 years (dumb butt) of no back up pictures and documents.

thank you so much in advance... "howdecrypt" looser.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users