Preview the new CCleaner Browser
The fast, private and secure browser for Windows, from the makers of CCleaner
Download
Wednesday, July 17, 2019
Monday, July 15, 2019
Emsisoft Decrypter for Ims00rry
The Ims00rry ransomware encrypts files using AES-128, and does not add an extension. Instead, the text "---shlangan AES-256---" is pretended to the file contents. The victim is asked to contact the criminals on Telegram @Ims00rybot.
The ransom note "README" contains the following text:
I am sorry!!!
My friend. I want to start my own business, but i have no money.
All your files photos, databases, documents and other important are encrypted with strongest encryption and algorithms RSA 4096, AES-256.
If you want to restore your files payment and write to Telegram bot
Price decrypt software is $50.
Attention!!!
Do not rename or move the encrypted files.
Bitñoin wàllet:
1tnZbveCXmqRS1gfZSxztG5MbdJhptaqu
Contact Telegram bot:
@Ims00rybot
Detailed usage guide
Download
The ransom note "README" contains the following text:
I am sorry!!!
My friend. I want to start my own business, but i have no money.
All your files photos, databases, documents and other important are encrypted with strongest encryption and algorithms RSA 4096, AES-256.
If you want to restore your files payment and write to Telegram bot
Price decrypt software is $50.
Attention!!!
Do not rename or move the encrypted files.
Bitñoin wàllet:
1tnZbveCXmqRS1gfZSxztG5MbdJhptaqu
Contact Telegram bot:
@Ims00rybot
Detailed usage guide
Download
Sunday, July 14, 2019
Softpedia Software of the Week: Rufus
Download Rufus
Here are the steps and settings in creating a bootable Windows 10 installer
- Device - Select a USB drive with at least 8 Gb size
- Boot selection - Locate your Windows iso file
- Partition scheme - Select MBR
- Target system - BIOS (or UEFI-CSM)
- File system - Choose NTFS
Click the START button
 |
| Rufus with settings used in creating a bootable Windows 10 installer |
Click OK on the next dialog
Finished bootable USB drive tested with QEMU on Windows 7.
Known Problems with Most Common AV's
Here is an interesting read at Malwaretips.
Another thread I thought about (wow Robbie you're on fire today!). Share a fact about the AV you use or about an AV you heard of that has specific problems or facts that need to be known before instaling. The purpose of this is to let users know what kind of issues or scenarios they will face when installing X antivirus.
Avast/AVG:
Another thread I thought about (wow Robbie you're on fire today!). Share a fact about the AV you use or about an AV you heard of that has specific problems or facts that need to be known before instaling. The purpose of this is to let users know what kind of issues or scenarios they will face when installing X antivirus.
Avast/AVG:
- Telemetry/privacy issues
- Hardware virtualization for DeepScreen and CyberCapture conflicts with VMware, VirtualBox and Windows Sandbox
- Transient caching slows down the machine
Monday, July 8, 2019
Malware Removal 101: Eris Ransomware
Just any other ransomware, Eris ransomware is easy to remove, the only problem is the decryption of your files since no decrypter is available to date.
I didn't test numerous antivirus, just two. Kaspersky Cloud Security and 360 Total Security Essentials.
Kaspersky Cloud Security
360 Total Security Essentials
I didn't test numerous antivirus, just two. Kaspersky Cloud Security and 360 Total Security Essentials.
 |
| Ransomware running in memory |
Kaspersky Cloud Security
- Quick Scan terminated and deleted the malware
360 Total Security Essentials
- Malware is detected and deleted as soon as 360 TSE is enabled.
Note: There are no changes created by Eris in the Startup folder nor in HKLM/HKCU\...\Run. I have to point this out because majority of removal instructions I've seen are just using templates without having an actual ransomware sample to work with. They give instructions to find entries (keys) made by the malware in the registry.
 |
| Startup entries while ransomware is active |
You can use any antivirus/antimalware as long as it's updated and can detect Eris.
Sunday, July 7, 2019
Eris Ransomware
Eris Ransomware
Virustotal
This is a new ransomware. Sample is allowed to run in a sandboxed environment. Encryption is fast as it encrypted almost all of my documents in drive C: in under a minute the sample was running.
Removal is easy, just do a full scan with an updated antivirus/antimalware (refer to virustotal.com for list of programs that can detect Eris ransomware).
Decryption is another story. Although I've seen may sites with instructions on how to decrypt Eris, I doubt if any of them really works.
 |
| Ransomware Readme |
 |
| Documents encrypted by Eris Ransomware |
 |
| Original document filesize is reduced to zero byte after encryption |
 |
| Encrypted document |
Notes:
- Ransomware sample is detected by Kaspersky Security Cloud. Sample was tested with AV disabled
- AppCheck wasn't able to detect the encryption
- After the test, Recuva failed to recover any encrypted documents
Saturday, July 6, 2019
Free Ransomware Decryption Tools
Here is a list of ransomware decryption tools provided by antivirus developers. It's sad that decryption tools can't keep pace with the growing number of ransomware.
Related Article: List of free Ransomware Decryption Tools to unlock files
Thursday, July 4, 2019
Malware Prevention: Autoit3 worms
Here is a script I wrote almost one year ago. Purpose is to immunize (block) AutoIt3 worms that disguise as GoogleChrome, Firefox and Skype. It's almost a year and I still encounter this on customers flash drives.
What it does is create four folders namely:
and locked them so the worm no longer have access to those folders.
Copy and paste the following to Notepad ans save as Immunize.bat
Change the Drive variable if you want to immunize your external/USB drives as well.
--------------------
@ECHO OFF
REM Replace Drive=*: with the appropriate drive letter
SET Drive=C:
%Drive%
CLS
ECHO Immunize against GoogleChrome, MozillaFirefox and Skype (AutoIt3 worms)
ECHO By WinXPert (7/09/2018)
ECHO https://www.facebook.com/groups/pinoytechrambo
ECHO https://www.facebook.com/groups/CTExperts.PH/
ECHO.
ECHO IMMUNIZING Drive %Drive%
ECHO.
PAUSE
MD "%Drive%"\GoogleChrome"
ATTRIB +h +s /s /d ""%Drive%"\GoogleChrome"
icacls ""%Drive%"\GoogleChrome" /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"
MD ""%Drive%"\MozillaFirefox"
ATTRIB +h +s /s /d ""%Drive%"\MozillaFirefox"
icacls ""%Drive%"\MozillaFirefox" /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"
MD ""%Drive%"\Skypee"
ATTRIB +h +s /s /d ""%Drive%"\Skypee"
icacls ""%Drive%"\Skypee" /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"
MD ""%Drive%"\Skype"
ATTRIB +h +s /s /d ""%Drive%"\Skype"
icacls ""%Drive%"\Skype" /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"
PAUSE
To GOD be the glory!
What it does is create four folders namely:
- GoogleChrome
- MozillaFirefox
- Skypee
- Skype
and locked them so the worm no longer have access to those folders.
 |
| Folder used by worm with denied Full control |
Copy and paste the following to Notepad ans save as Immunize.bat
Change the Drive variable if you want to immunize your external/USB drives as well.
--------------------
@ECHO OFF
REM Replace Drive=*: with the appropriate drive letter
SET Drive=C:
%Drive%
CLS
ECHO Immunize against GoogleChrome, MozillaFirefox and Skype (AutoIt3 worms)
ECHO By WinXPert (7/09/2018)
ECHO https://www.facebook.com/groups/pinoytechrambo
ECHO https://www.facebook.com/groups/CTExperts.PH/
ECHO.
ECHO IMMUNIZING Drive %Drive%
ECHO.
PAUSE
MD "%Drive%"\GoogleChrome"
ATTRIB +h +s /s /d ""%Drive%"\GoogleChrome"
icacls ""%Drive%"\GoogleChrome" /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"
MD ""%Drive%"\MozillaFirefox"
ATTRIB +h +s /s /d ""%Drive%"\MozillaFirefox"
icacls ""%Drive%"\MozillaFirefox" /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"
MD ""%Drive%"\Skypee"
ATTRIB +h +s /s /d ""%Drive%"\Skypee"
icacls ""%Drive%"\Skypee" /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"
MD ""%Drive%"\Skype"
ATTRIB +h +s /s /d ""%Drive%"\Skype"
icacls ""%Drive%"\Skype" /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"
PAUSE
--------------------
Remember a byte of prevention is worth a megabyte of cure.
All content ("Information") contained in this report is the
copyrighted work of WinXPert: Virus and Malware Removal.
Copyright © 2019 WinXPert. All rights reserved. All other
trademarks are the sole property of their respective owners.
The Information is provided on an "as is" basis. WinXPert
disclaims all warranties, whether express or implied, to the maximum
extent permitted by law, including the implied warranties that the
Information is merchantable, of satisfactory quality, accurate, fit for
a particular purpose or need, or non-infringing, unless such implied
warranties are legally incapable of exclusion. Further, WinXPert does
not warrant or make any representations regarding the use or the
results of the use of the Information in terms of their correctness,
accuracy, reliability, or otherwise.
To GOD be the glory!
Subscribe to:
Posts (Atom)