Wednesday, July 17, 2019

CCleaner Browser

Preview the new CCleaner Browser

The fast, private and secure browser for Windows, from the makers of CCleaner

Download

Monday, July 15, 2019

Emsisoft Decrypter for Ims00rry

The Ims00rry ransomware encrypts files using AES-128, and does not add an extension. Instead, the text "---shlangan AES-256---" is pretended to the file contents. The victim is asked to contact the criminals on Telegram @Ims00rybot.

The ransom note "README" contains the following text:

I am sorry!!!

My friend. I want to start my own business, but i have no money.

All your files photos, databases, documents and other important are encrypted with strongest encryption and algorithms RSA 4096, AES-256.

If you want to restore your files payment and write to Telegram bot

Price decrypt software is $50.

Attention!!!

Do not rename or move the encrypted files.

Bitñoin wàllet:

1tnZbveCXmqRS1gfZSxztG5MbdJhptaqu

Contact Telegram bot:

@Ims00rybot

Detailed usage guide

Download

Sunday, July 14, 2019

Softpedia Software of the Week: Rufus

Create bootable USB drives from ISOs with an operating system of your choice, with various options, including to enhance compatibility with old BIOS versions

Download Rufus

Here are the steps and settings in creating a bootable Windows 10 installer

Device - Select a USB drive with at least 8 Gb size
Boot selection - Locate your Windows iso file
Partition scheme - Select MBR
Target system - BIOS (or UEFI-CSM)
File system - Choose NTFS

Click the START button

Rufus with settings used in creating a bootable Windows 10 installer

Click OK on the next dialog

Finished bootable USB drive tested with QEMU on Windows 7.

Known Problems with Most Common AV's

Here is an interesting read at Malwaretips.

Another thread I thought about (wow Robbie you're on fire today!). Share a fact about the AV you use or about an AV you heard of that has specific problems or facts that need to be known before instaling. The purpose of this is to let users know what kind of issues or scenarios they will face when installing X antivirus.

Avast/AVG:

Telemetry/privacy issues
Hardware virtualization for DeepScreen and CyberCapture conflicts with VMware, VirtualBox and Windows Sandbox
Transient caching slows down the machine

Read more...

Monday, July 8, 2019

Malware Removal 101: Eris Ransomware

Just any other ransomware, Eris ransomware is easy to remove, the only problem is the decryption of your files since no decrypter is available to date.

I didn't test numerous antivirus, just two. Kaspersky Cloud Security and 360 Total Security Essentials.

Ransomware running in memory

Kaspersky Cloud Security

Quick Scan terminated and deleted the malware

360 Total Security Essentials

Malware is detected and deleted as soon as 360 TSE is enabled.

Note: There are no changes created by Eris in the Startup folder nor in HKLM/HKCU\...\Run. I have to point this out because majority of removal instructions I've seen are just using templates without having an actual ransomware sample to work with. They give instructions to find entries (keys) made by the malware in the registry.

Startup entries while ransomware is active

You can use any antivirus/antimalware as long as it's updated and can detect Eris.

Sunday, July 7, 2019

Eris Ransomware

Virustotal

This is a new ransomware. Sample is allowed to run in a sandboxed environment. Encryption is fast as it encrypted almost all of my documents in drive C: in under a minute the sample was running.

Removal is easy, just do a full scan with an updated antivirus/antimalware (refer to virustotal.com for list of programs that can detect Eris ransomware).

Decryption is another story. Although I've seen may sites with instructions on how to decrypt Eris, I doubt if any of them really works.

Ransomware Readme

Documents encrypted by Eris Ransomware

Original document filesize is reduced to zero byte after encryption

Encrypted document

Notes:

Ransomware sample is detected by Kaspersky Security Cloud. Sample was tested with AV disabled
AppCheck wasn't able to detect the encryption
After the test, Recuva failed to recover any encrypted documents

Saturday, July 6, 2019

Free Ransomware Decryption Tools

Here is a list of ransomware decryption tools provided by antivirus developers. It's sad that decryption tools can't keep pace with the growing number of ransomware.

Related Article: List of free Ransomware Decryption Tools to unlock files

Thursday, July 4, 2019

Malware Prevention: Autoit3 worms

Here is a script I wrote almost one year ago. Purpose is to immunize (block) AutoIt3 worms that disguise as GoogleChrome, Firefox and Skype. It's almost a year and I still encounter this on customers flash drives.

What it does is create four folders namely:

GoogleChrome
MozillaFirefox
Skypee
Skype

and locked them so the worm no longer have access to those folders.

Folder used by worm with denied Full control

Copy and paste the following to Notepad ans save as Immunize.bat
Change the Drive variable if you want to immunize your external/USB drives as well.

--------------------

@ECHO OFF

REM Replace Drive=*: with the appropriate drive letter

SET Drive=C:
%Drive%

CLS
ECHO Immunize against GoogleChrome, MozillaFirefox and Skype (AutoIt3 worms)
ECHO By WinXPert (7/09/2018)
ECHO https://www.facebook.com/groups/pinoytechrambo
ECHO https://www.facebook.com/groups/CTExperts.PH/
ECHO.
ECHO IMMUNIZING Drive %Drive%
ECHO.
PAUSE

MD "%Drive%"\GoogleChrome"
ATTRIB +h +s /s /d ""%Drive%"\GoogleChrome"
icacls ""%Drive%"\GoogleChrome" /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"

MD ""%Drive%"\MozillaFirefox"
ATTRIB +h +s /s /d ""%Drive%"\MozillaFirefox"
icacls ""%Drive%"\MozillaFirefox" /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"

MD ""%Drive%"\Skypee"
ATTRIB +h +s /s /d ""%Drive%"\Skypee"
icacls ""%Drive%"\Skypee" /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"

MD ""%Drive%"\Skype"
ATTRIB +h +s /s /d ""%Drive%"\Skype"
icacls ""%Drive%"\Skype" /inheritance:r /deny "Everyone:(OI)(CI)(F)" "ANONYMOUS LOGON:(OI)(CI)(F)"

PAUSE

--------------------

Remember a byte of prevention is worth a megabyte of cure.

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2019 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

To GOD be the glory!

Saturday, June 1, 2019

Terminating Processes Using UVK

Here's a situation, you have malware but your antivirus can't remove it and malware keeps coming back. Since majority of computer users don't know how to manually terminate a malware process, here's a simple way to do that using Ultra Virus Killer.

First launch UVK and click Process Manager.

Click on Kill all processes.

Select any of the four selections and click Kill processes. Sometime selecting Kill all non system processes will do the trick.

Click yes to continue.

After that, you can now perform a Full Scan of your PC using an updated antivirus. Scan also your infected external drives.

Tuesday, May 28, 2019

Malware Removal 101: Ramnit

This is a manual malware removal instruction for this specific strain of ramnit.

Virustotal

What it does:

Creates four shortcuts at the root directory of your external drive. Make multiple copies of the malware at the RECYCLER folder

Creates a file at the Startup folder. Starts with Windows.

Manual Removal

This strain of ramnit launches itself via the default browser

1. Terminate the browser's running process using System Explorer

2. Go to the Autoruns tab and delete the startup entry

3. Delete the ramnit shortcuts as well as the RECYCLER folder.

4. Perform a full scan using an updated antivirus

Wednesday, May 8, 2019

Malware Removal 101: Worm (Files.bat)

I got this sample a few days ago from a customer's USB drive:

Virustotal

User's files and folders are replaced with shortcuts. Files are hidden and moved to Files folder.

Manual Removal

Using System Explorer, terminate the running malware process. If you have multiple running instances of the worm, select the parent process and End Process Tree instead.

Locate the files using CCleaner. Select Start.lnk | Right click and click on File Directory Explore.

Delete all files including the parent folder.

Using Explorer, delete at shortcut in your USB drive.

Unhiding the files. You can use Attrib or Explorer.

Attrib

Launch CMD and type the following:

CD drive:

ATTRIB -S -H /S /D

Replace drive: with the corresponding drive assignment of your USB drive. Ex. F:

Explorer

At Folder Options enable Show hidden files, folders and drives

Navigate to Files folder

Move all files and folders to your root directory

Select all hidden folders and unhide using Properties

Delete Files folder

Back at System Explorer delete Start.lnk

Note: If you have multiple instances of the malware running in memory, do not use TaskMan to terminate its process because there is a chance that your PC would reboot. Use System Explorer instead. Suspend all processes first then end them one by one.

POST: Scan your system and USB drives with an updated Antivirus.

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

Copyright © 2019 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

To GOD be the glory!

Sunday, May 5, 2019

Malware Removal 101: Facebook Worm

I think you are familiar with this post.

Virustotal

Your PC would only be affected if you do the following:

You clicked and downloaded the file. (The sample I got is video_68080.bz. Note that filename may vary)
You extracted or clicked on the archive and launch the file (play_29732727.mp4.com)

Correction: It's a .com file.

Running the worm creates the following files.

Starts with Windows via registry entry.

What it does is post Wow videos post in different Facebook groups without the user's knowledge.

Other changes in the registry:

Keys added:

HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations
HKU\S-1-5-21-628660338-905938160-2927024020-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKU\S-1-5-21-628660338-905938160-2927024020-1000\Software\Unzip

Values added:

HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes: ".exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ggle Updater: "C:\Users\Arnel\AppData\Roaming\Arnel\app.exe"

Files added:

C:\Users\Arnel\AppData\Roaming\Arnel\7za.exe
C:\Users\Arnel\AppData\Roaming\Arnel\app.exe
C:\Users\Arnel\AppData\Roaming\Arnel\background.js
C:\Users\Arnel\AppData\Roaming\Arnel\config.json
C:\Users\Arnel\AppData\Roaming\Arnel\files.7z
C:\Users\Arnel\AppData\Roaming\Arnel\manifest.json
C:\Users\Arnel\AppData\Roaming\Arnel\update-x64.exe
C:\Users\Arnel\AppData\Roaming\Arnel\update-x86.exe

Folders added:

C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2LXBY3LA
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2YQU29T2
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5KFJB9OR
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZL3SUC12
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\Arnel\AppData\Local\Temp\Low
C:\Users\Arnel\AppData\Roaming\Arnel

Note: I got this error message because I don't have chrome on my PC. Plus I have to turn off my antivirus because the worm is detected by McAfee Internet Security and never got pass the extraction stage.

Removal Instructions:

Terminating the running process:

Note: Since I am testing this malware, I'll be terminating the file I've run. Terminate app.exe instead since it's the file that starts with Windows..

Let's use CCleaner to remove the worm.

Launch CCleaner
Goto Tools | Startup
Highlight Ggle Update
Right Click and Select Open Containing Folder
Still on CCleaner, click on Delete button on the right

At Explorer, select all files and delete.

Restart your computer.

On boot scan with an updated antivirus.

POST: Clean your temps

I'll try to run this file on Windows 10 and report the changes it made on this OS.

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

Saturday, May 4, 2019

Malware Removal 101: Rotinom

Problem: Drive C is running out of disk space every time you insert an external HDD or a USB drive? Chances are you are infected with Rotinom.

Virustotal

What it does to your computer:

Starts with windows

Makes a copy of all files from USB drive to Rotinom folder on Drive C: thus reducing its free space.

Infects USB or external drives. Hides all folders and replaces them with shortcuts.

Notice the difference in the icons.

Changes in the registry:

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Name: Startup
Value: C:\Users\admin\AppData\Local\Start

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Name: Startup
Value: C:\Users\admin\AppData\Local\Start

Manual Removal Instruction:

Since TaskMan is not disabled, we can use it to terminate update.exe.

Navigate to "%LocalAppData%\Start" and delete update.exe

Search for Rotinom folder. Easiest way to do that is search using Everything.

Delete the folder. Also delete its parent folder. Empty you Recycle Bin

Cleaning USB and external drives:

Delete all files associated with Rotinom. All *.exe files with folder icon and also the Usb 2.0 Driver folder.

POST:

Scan with an updated Antivirus/Antimalware.

Unhide files and folders at the CMD prompt.

ATTRIB -S -H /S /D

Repair the registry. Replace the value indicated in blue.

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Name: Startup
Value: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Name: Startup
Value: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.