• news
  • THURSDAY JUNE 1 2006 8:00 PM

Extortion Virus Password Cracked

Submitted by WilWheaton

Edited by Rahodeb

A new breed of douchebag is making a new breed of computer virus. This one encrypts all the files on an infected machine, and instructs the user to pay a ransom (by purchasing drugs from an online pharmacy -- I am not making this up), or face deletion.

However, at least one password for the hijacked files has been uncovered, and published by BBC.

Analysis of Archiveus has revealed that the password to unlock the file containing all the hijacked files is contained within the code of the virus itself.

This virus swaps files found in the "My Documents" folder on Windows with a single file protected by a 30-digit password. Victims are only told the password if they buy drugs from one of three online pharmacies.

The 30-digit password locking the files is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". Using the password should restore all the hijacked files.

There isn't any information in the story about how the password is generated, but if these extortionists have any sense, they'd code the virus to generate a unique password based on some hashing algorithm derived from something unique to the target machine. If these idiots created just one master password that would never change, they're even more stupid than the average script kiddie.

  • PERMALINK
  • PRINT
  • Digg This
  • Email To A Friend
 
Comments
malkav11

malkav11

Saint Paul, MN
July 2003

JUN 02, 2006 01:30 AM

So, basically, another reason not to use My Documents. As if one needed more.

ZPO

ZPO

Roy, WA
July 2004

JUN 02, 2006 05:39 AM

The keys to using a single embedded password are simplicity and lack of a required 2-way communications channel between extortionist and victim.

With this method, all the extortionist has to do is send the key to anyone who purchases the required item(s) from the site. It could even be easily automated with a couple of scripts and left running on a compromised host.

Unique keys would require communicating the unique hash value (MAC address maybe) to the extortionist. Given that we're talking about users that believed a web-based AV popup, I don't think depending on them to type in a hash code properly is a good idea. Perhaps the screen message could display the code, but again - more complexity.

Alepheuo

Alepheuo

I'm lost
February 2004

JUN 04, 2006 02:12 AM

This is how DVD copies of Gigli were sold

James_

James_

United Kingdom
March 2003

JUN 04, 2006 10:12 AM

AlephAlfa said:
This is how DVD copies of Gigli were sold



I hear most people just bought new computers.

Snottlebocket

Snottlebocket

Netherlands
March 2004

JUN 04, 2006 10:39 AM

aw will wheaton went grey, that's a shame he was one of the better editors we had over the past year.

Bastardo

Bastardo

Boston, MA
January 2005

JUN 04, 2006 11:13 AM

Oh snap!

featured interviews