ACCDFISA – RansomWare – Removal Notes + More

UPDATE (2/26/12 @ 8:20PM CST): Lawrence Abrams has posted a guide to removing this infection over at BleepingComputer.com: http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program His post includes notes that were not included in this post and also provides a much more automated process for removal. If you are removing this infection, I would consider his post a must-read! Do not consider your system fully repaired until you have thoroughly read through his removal instructions.

NOTE: It would be really useful to take a look at the previous post by Joe P. regarding this RansomWare infection here: http://blog.nfocustech.com/2012/02/accdfisa-ransomware/

In addition, JSnell has posted some useful information on BleepingComputer.com regarding his experience with removing this infection: http://www.bleepingcomputer.com/forums/topic443725.html

 

  • THE PROCESS DESCRIBED IN THIS POST WAS PERFORMED IN A WINDOWS SERVER 2008 R2 ENVIRONMENT. Unfortunately, I do not have access to another version of Windows Server to test this procedure on. The process should be fairly similar for each edition of Windows Server. Your comments and feedback will be very useful in providing information regarding how this process varies on other systems.
  • EVERY REFERENCE MADE TO THE “C: DRIVE” REFERS TO THE DRIVE THAT HOLDS THE CONTENTS OF THE WINDOWS SERVER OPERATING SYSTEM. This could very well vary for your system and should be adjusted appropriately.

 

Disclaimers / Additional Notes (PLEASE, PLEASE READ):

  1. I would STRONGLY urge you to take a backup of the system as soon as possible, even if it is still infected. Although, we have learned a good bit about this infection over the past week, we still do not fully understand each and every step of its progression. Finding a way to backup the infected system before ever beginning the removal process would be ideal (i.e. cloning all hard drives that have been infected). However, I realize that this may not be easily feasible on all systems. For that reason, I will include a note in the post where the next easiest backup point is. Please listen to my word of advice and take a backup at this point if at all possible. In addition, this would be a great time to put a plug in for off-site backups if you have not already implemented one. Based on the information that has been found so far, off-site backups would not have been affected by this infection as long as the location being backed up to is not mapped as a local drive for some strange reason.
  2. The steps described in this post are intended for those who have experience managing Microsoft Server systems. Please do not make any changes to your system if you are unsure of what you are doing, as you could cause major problems. Under no circumstance am I responsible for any damage that occurs to your data.
  3. Unfortunately, it appears that this particular infection deletes some types of files from the very beginning, such as Exchange and SQL database files. I’m honestly not sure what the best procedure would be to try and recover these files. The only suggestion I have is to run a program such as GetDataBack that has the ability to check for deleted files that haven’t been overwritten by the file system yet. Keep in mind that the more activity that occurs on the server, the less likely you are to have success with such a process. Therefore, I would suggest attempting this by connecting the server’s hard disk drives to another system and then run whatever type of recovery software you wish to from that system.
  4. I am certainly not a virus removal expert, but I hope that the information I have learned through trial and error will help others. I will do my best to help everyone I can who is suffering from this particular infection. Please leave your feedback in the comments so that I can correct the information in this post as needed.
  5. There are some specific references to certain software products in this article. I do not have any affiliation with the companies or groups who produce such software, but their products have worked successfully for me while trying to remove this infection. Any software mentioned in the post is the property of their respective owners and they deserve the credit for their functioning.

 

Getting Started:

Let’s jump right into it. If you are reading this post, it is likely that the screen shown below is the first sign of an infection you came across, other than a loss of network connectivity. It states something to the effect of “the server has been used to access illegal content on the internet and was shut down by the ACCDFISA, an acronym for the Anti Cyber Crime Department of Federal Internet Security Agency.”

It then asks for a $100 in order for the attacker to send you a code that allows you to access your system once again. After going through the executable file that causes this particular splash screen to load, I was able to recover a code that seems to successfully disable this screen from appearing at startup. However, I do not wish to publish it or the procedure involved in recovering this code at this time, as I cannot prove that inputting the code does not cause some additional problem, such as removing a security feature or enabling the infection to proceed further with some type of harmful action. The next steps should provide a perfectly adequate way to disable this initial screen and move forward with the virus removal.

 

Steps to Disable Initial Splash Screen:

  1. Download some type of live Windows disc that allows you access to the hard drive and allows you to make security setting changes to folders. My disc of choice was Hiren’s BootCD (download location: http://www.hirensbootcd.org/download/ ), which includes a bootable version of “Mini Windows XP”. After downloading the zip, extract it and burn the .iso file included to a disc using your favorite disc image burning utility. You will then want to insert the disc into the system and boot from it. In the first screen that appears after booting from the disk, select the second option in the list that states “Mini Windows Xp”.
  2. Once Mini Windows Xp has loaded, navigate to C:\ProgramData (which is a hidden folder) using My Computer. Right-click on the “local” folder and select properties. Next, select the Security tab and select “Advanced”. Now, uncheck “Inherit from parent the permission entries…”, click “Copy” when the next dialog box pops up, and then click “OK” to save these changes. You can now remove all users except for “SYSTEM”.  For the user “SYSTEM”, select “Deny” for the “Full Control” setting. This should prevent the splash screen from loading, as this folder contains the file that the splash screen loads from.
              Note 1: Some may ask why we are not just deleting this folder. There are two answers: ( 1) we may need some of the files in this folder later and (2) this prevents any other virus-related service or executable from recreating the files in this directory.
    Note 2: JSnell, who has recorded his experience with this virus in a post on BleepingComputer.com, mentioned that he was able to perform these steps by booting into safe mode. The reason why I did not go that route is because we were not able to boot into safe mode on the originally infected machine. Also, based on looking through certain files that this virus executes, it appears that it attempts to disable the safe mode boot option.
  3. Next, click okay to exit the properties dialog and save the new security settings. Remove Hiren’s BootCD from the disc tray. You can now select “Shutdown” from the “Start” menu, select the “Restart” option from the drop-down menu, and then click “OK”. Allow the system to reboot into Normal mode.

 

Steps to Disable the Loading of Virus-Related Services and Startup Entries:

  1.  Once the system has rebooted in Normal mode, login using an administrative account so that registry entries can be edited.
    IMPORTANT: Now would be a perfect time to complete a backup of some sort if your backup software of choice is still functioning properly. If such software is not functioning properly, consider using the built-in backup function in Windows server or some other freeware option to create a successful backup. So far, I haven’t run into an issue with losing data at this point, but it is always better to be safe than sorry!
  2. Click on the “Start” menu and select “Run”. Open the registry editor by typing “regedit” and clicking “OK”
  3. BEFORE making any changes, be sure to backup the registry by selecting “Export…” from the “File” menu. Next choose the location where you would like the registry backup saved and type in a file name for it. BE SURE that the radio button next to “All” is selected in the “Export range” section at the bottom of the window. You can now click “Save”.
  4. The following entries now need to be removed from the registry. Right-click on each of the entries listed below and select “Delete”. When asked to confirm the deletion, select “Yes”.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\svchost
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofms
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WdiServiceSysHost
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\netprofms
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WdiServiceSysHost
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\netprofms
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WdiServiceSysHostNOTE: You may receive an error when selecting the last two and when trying to delete them. Just click okay if the errors appear and still attempt to delete them.
  5. DO NOT SKIP THIS STEP. After deleting completing the above step and exiting out of the registry editor, reboot the system. This should prevent the virus-related processes from starting once the reboot is complete.

 

Backing Up the Virus-Related Folders/Files:

  1.  VERY IMPORTANT. Log back on to the system after the reboot. Find and copy the following folders and files to a backup location of your choice. I would suggest creating a new folder to place them all in so that you do not misplace them. These folders and files will be absolutely crucial to recovering encrypted data if they turn out to be needed. I would even suggest copying these files to a second external location just in case something happens to the first copy. Here is the list of folders and files:
    >C:\ProgramData\local      (This is a hidden folder. In order to copy this folder, you will have to double-click on it first and select “Take Ownership” or change the permissions manually before copying the folder. This is due to the fact that we took away our right to access this folder earlier when we booted into Mini Windows XP.)
    >C:\decrypt      (this is a hidden folder)
    >C:\Windows\SysWOW64\dcomcnfgui.exe
    >C:\Windows\SysWOW64\ucsvcsh.exe
  2. The final file you need will most likely be called “sys100s.exe”. You will also need to backup this file along with the ones listed above. The only way to locate this file is to do a search of the C: drive, as it will probably be found in a user’s internet cache files (where Internet Explorer stores its temporary files). When running the search on the C: drive, I would suggest only searching for “sys100” and not including the final “s” or the “.exe” file extension, as it is possible that there may be different derivatives of this file whose filenames slightly vary.NOTE: Don’t worry about deleting any of the files from the C: drive at this time, as they should not be causing any problems. We will go back in the very end once we have confirmed everything is resolved and remove them.

 

Restoring TCP/IP Settings:

  1.  At this time, the TCP/IP settings can be reset for whichever network adapters were affected. If you’re not sure of how to do this, proceed to the Control Panel, select Network and Internet, and then select Network Connections. Right-click on the network adapter of your choice and select Properties. Once the next dialog loads, select “Internet Protocol Version 4 (TCP/IPv4)” and then select “Properties”. Once the next dialog loads, you should see that the IP address, default gateway, an etc. have been changed by the virus. You can now change these options back to whatever static settings they should be or select the radio button next to “Obtain an IP address automatically” and “Obtain DNS server address automatically”. Repeat this process if you have more than one adapter that was affected.

 

“Decrypting AES Files” (Extracting Password-Protected RAR Archives):

  • The attackers would love for you to think that all of your files have been encrypted using the AES algorithm. In reality, every file that has an .aes extension has been placed in its own password-protected RAR archive.
  • There is a “decrypter” program that is included with the virus. I have had mixed results running this program. One time it deleted files when I input files that I had recovered and another time it actually extracted the files back to their correct locations. However, for the same reason I did not provide a code for the initial splash screen, I will also not provide any of these codes, as it could cause permanent damage to your system.
  • If you just need to extract a couple of files using a RAR archive extractor, I’ll save you the trouble of reading through the next steps and tell you that the password that worked for me is the following: 1a2vn57b348741t92451sst0a391ba72
  • There is a chance that the password shown directly above and in Step 5 of this section is dynamically generated on each infected system. If this turns out to be the case, I will post instructions for how to find this password.

NOTE: I am completely aware that the process I describe below is extremely cumbersome. However, this is the easiest process I can think of at the moment. If you have a better idea of how to go about this process, please post it in the comments below and if I am able to verify that it works, I will modify this section.

  1. Download whatever RAR archive extractor you prefer and install it on the affected system. The only requirement is that it support password-protected archives (which may be all of them, I’m not sure). In our case, 7-zip File Manager worked well. It can be downloaded here: http://www.7-zip.org/ . The following steps will involve using 7-zip to extract the necessary files. The process will vary with other programs.
  2. Create a folder to make a copy of all of the archived files to. Also, create a folder somewhere to extract all the RAR archives to. These can be on the system itself or on an external device. Just be sure that the drive that these folders are located on is large enough to hold a copy of all of the archived and extracted files. It appears that the files were not compressed when they were placed into archives, so whatever size is shown in the search results (described below) is the size they will be when extracted.
  3. Open up Computer and continue to the root of whichever drive you which to extract files from first. In the search box, type “*.aes” (without the quotation marks) and allow the search to fully complete. On the original system that I worked with that was infected, the search returned approximately 15,000 files and took about an hour to an hour and a half to complete.
  4. Once you are sure that the search has discovered all the archived files on that drive, select all of the files (CTRL + A) and copy the files (CTRL + C). Then navigate to the folder that you created in Step 2 that was created to hold a copy of all of the archived files. Paste (CTRL + V) the files into this folder.
  5. Open up 7-zip File Manager and navigate to the same folder that you just pasted all of the files into. Then select all (CTRL + A) of the files and click the Extract button near the top-left of the program window. In the dialog windows that appears, set the “Extract to:” path to the folder that you created in Step 2 to extract files to. For “Path mode:”, select “Full pathnames” from the drop-down menu. In the password box, type in: 1a2vn57b348741t92451sst0a391ba72
  6. Select “OK” and wait for 7-zip to finish extracting all of the files.
  7. Once the extraction completes, navigate to the folder that you extracted to and select all (CTRL + A) of the folders and files. Copy (CTRL + C) the folders and files.
  8. Navigate to the root of the drive that you pulled the archives from and paste (CTRL + V) the folders and files there. (Be sure that you have enough space on the drive to paste all of the extracted files.) If you are asked if you want to merge folders, select “Yes”. If there are quite a few, I would check the “Do this for all current items” option.
  9. Steps 2 through 8 of this section will need to be repeated for each drive that needs files recovered from it.

 

Final Steps / Cleanup:

  1. I would suggest rebooting the system at this point just to make sure that everything is in working order.
  2. If you are positive that all of your files have been successfully extracted and put back in their place, you can once again search each drive for all of the .aes files, select them all, and delete them.
  3. You can now delete the virus-related folders and files that you made a copy of in the section “Backing Up the Virus-Related Folders/Files”. These no longer serve a purpose by staying on your system. However, I would not delete the backup of these files that you made, just in case it is needed.

 

Afterthoughts:

  • No one seems to be sure what exactly initiates the download of the sys100s.exe file that begins the visual activities of the virus and archives files on the system. The only way to be 100% sure that the virus is removed from you system is to reinstall your edition of Windows Server. I’m hoping that we can soon track this virus back further and find exactly what the root cause/security flaw is that is allowing such an infection through. One theory so far is that there could possibly be a keylogger that is capturing user credentials. This is based on the fact that Joe P., who wrote the previous post on this blog concerning this RansomWare infection, was able to see in his client’s server logs where a successful login occurred right before the symptoms of the virus began appearing. This is obviously very concerning that there was not a failed login attempt before this successful one. I will attempt to keep everyone updated if I learn anymore information about this infection.
  • Please leave your feedback and comments below, as this is the only way I have of knowing that the removal process is working successfully for others. I apologize if I have gone into way too much detail in this post, but I am just trying to put out as much information as I can about this infection so that hopefully it helps as many people as possible.

 

ACCDFISA – RansomWare

 

Well, we have now had our first run-in with Ransomware.  We received a call from a client stating that they were having issues accessing a remote application server. Sure enough, we were unable to access the remote application server through the VPN connection.  Once on site, I was greeted with a screen stating that the server had been used to access illegal content on the internet and was shut down by the ACCDFISA, an acronym for the Anti Cyber Crime Department of Federal Internet Security Agency. The screen gave instructions for unlocking the system by paying $100 using Moneypak, Paysafecard, or Ukash.  This looked to be a standard scamware application so I decided to attempt removal.

Hmm, nothing I could do would allow me around this screen.  Pressing CTRL-ALT-DEL would bring up the menu allowing me to choose Task Manager but nothing would show up.  I shutdown the server and was able to see Task Manager running in the background as the malicious application shutdown. The application relaunched after the reboot so I decided to restart to safe mode.

I was able to start the system in Safe Mode to the Command Prompt only.  I was now able to start an analysis of the system.  My first task was to export the system log files for review on a different PC.  Next, I began tracking down how the Ransomware was loading.  I found it in one of the remote users’ appdata folder.  I now know who was logged on (or so I thought) when the application was downloaded.  At this point,  I created a backup of the files that I felt were causing the issues.  I also found 1433 files that had been encrypted with an AES algorithm. Uh oh, not good!

Files from c:\programdata\local\ –  (hidden)

  • aescryptor.exe
  • svchost.exe
  • undxkpwvlk.dll
  • vpkswnhisp.dll

Files from c:\decrypt — (hidden)

  • decrypt.exe

File downloaded from remote website

  • sys100s.exeSYS100s.exe Ransomware Installer

 

 

 

 

File from user desktop

  • “how to decrypt aes files.lnk”  points to c:\decrypt\decrypt.exe

I also found that the IP address had been changed to a 172.x.x.x address and default gateway was removed.

I launched the registry editor and found all references to the above files.  The process loading the ransomware is the svchost.exe that was created in the user profile folder.  Renaming the files remedied the issue with the application loading.  However, nothing I could do would let me change the IP address.  It’s at this point that I decided to test out the decrypt.exe file.  When launched I received the following screen where I could put in the “purchased” recovery key should I have decided to fall to the ransom.  This wasn’t going to happen as you’re not guaranteed that you’ll receive your code!ACCDFISA Ransomware Screen

I decided to reload the server, but I still wanted to know “how did this load?” I know the username that the application was loaded from so started by looking through the user’s IE history. There it was, a single entry in the history to an .exe on a webserver somewhere. Unfortunately, I didn’t write this URL down.  I found the file in the internet cache and was able to make a copy. Nice! Now, why did she go to this…..  Oh no.  I realized at this point that her account had to have been compromised.  I began digging through the security log on the server and there it was, right there.  There was a logon entry for the user just two minutes before the AES encryption was began.  The next log entry provided what I feared!!  The successful logon was from an IP address from 178.178.3.169, or wimax-client.yota.ru!!  The account had been compromised.  The password was complex and was something that could not have been acquired through a dictionary attack.  Furthermore, there was NO failed logon attempts from this account in the event logs.  Someone was able to get the password and get it right the first time!!!

I notified the IT support for this employee’s home office and the computer was put offline for analysis.  I’m putting my chips on the guess that there is a key logging Trojan on this employee’s PC.

Now, back to the server.  I decided to reload the server as it only hosts two applications for remote users.  The AES encrypted files were random files on the server that the compromised user account had rights to.  Everything was easily recoverable once the system was reloaded. We spent four hours on the reload and made changes to the firewall so that the published applications were accessible to specific addresses only.

What can you do with the AES files?  Well, I’m gonna say that there’s nothing you can do without the encryption key. Hopefully, you have a good backup!

 

UPDATE:

It looks like it’s now being detected by F-Secure, BitDefender, and GData as Gen:Trojan.Heur.TP.bqW@b4F!vWj.  Symantec is detecting it as Suspicious.Cloud.5!!

UPDATE 2/23/2012 – 8:13PM

Microsoft is now detecting it.  Microsoft Malware Protection Center

Screen being detected by Microsoft

 

 

Receiving the winmail.dat attachment?

The problem!

Over the past few months, we have seen several of our clients receive the ol’ winmail.dat attachment. Try as they might, they can’t open it. Frustration over the inability to open the email has even led several users to download some of the spam-ware applications claiming to open any file type. We know what happens then…

So, what is happening here?

From what we’ve been able to determine, there is an issue with the mail servers properly decoding the email between the sender and recipient.  I’m placing the blame on Outlook because it will use either RTF or HTML formatting of the message content.

Troubleshooting

We spent a lot of time digging into the problem. We tried making changes as recommended in Microsoft Knowledgebase Article Q138053 but with no success. We’ve tried changing the formatting in Outlook but this seems to be ignored also.  We had come under the gun a couple of times because we maintain the receiving exchange servers. Spending countless hours updating settings in the servers we managed push me to think the issue could reside on the sender’s side. There was one thing that caught our eyes in the Microsoft KB article: you could adjust the message type based upon contacts.  Contacts?  According to quiet a few of our customers, contacts are the names that automatically drop down when you start typing a person’s email address!! This gave us an idea and led us to the solution.

How do you fix it?

We all love the cached contacts that Microsoft graciously implemented in Outlook. I use it every day as does all Outlook users. It looks to me that maybe somewhere, the formatting of the email is being maintained along with the cached address.  We can’t delete the NK2 file or flush the complete cache. So, how about removing the problem recipient’s cached address?

  1. Open a new email message.
  2. Begin typing the problem recipient’s address until you see it listed in the drop-down.
  3. Use the cursor keys until the address is highlighted.
  4. Press the delete key on the keyboard to remove the address.
  5. Now, type the full email address in the TO field.
  6. Finish e-mail and Send.

Your message should now be in the mailbox, in its proper format, of the problem receipient.

Your Ideas

Please feel free to comment if you can shed any more light on this subject.