Hi,
Here is a quick heads up. If anyone gets hit with this version of the virus you can try the pass word in the article. Of course the password can be changed but it is a start. could be interesting if some of our more qualified members could get a hold of a version and disect it, it could be an interesting discussion. here is the article, the source is the BBC website.

Extortion virus code gets cracked

To recover files, victims are asked to buy drugs online
Do not panic if your data is hidden by virus writers demanding a ransom.
Poor programming has allowed anti-virus companies to discover the password to retrieve the hijacked data inside a virus that has claimed at least one UK victim.
The Archiveus virus caught out British nurse Helen Barrow and swapped her data with a password-protected file.
The virus is the latest example of so-called "ransomware" that tries to extort cash from victims.

Code breaker

Analysis of Archiveus has revealed that the password to unlock the file containing all the hijacked files is contained within the code of the virus itself.

When I realised what had happened, I just felt sick to the core

Helen Barrow
This virus swaps files found in the "My Documents" folder on Windows with a single file protected by a 30-digit password. Victims are only told the password if they buy drugs from one of three online pharmacies.

The 30-digit password locking the files is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw ". Using the password should restore all the hijacked files.

"Now the password has been uncovered, there should be no reason for anyone hit by this ransomware attack to have to make any payments to the criminals behind it," said Graham Cluley, senior technology consultant for security firm Sophos.
Archiveus was discovered on 6 May but it took the rest of the month for the first victim, Rochdale nurse Helen Barrow, to emerge.
Ms Barrow is thought to have fallen victim when she responded to an on-screen message warning her that her computer had contracted another unnamed virus. The virus asks those it infects to buy drugs on one of three websites to get their files back.
"When I realised what had happened, I just felt sick to the core," said Ms Barrow about the incident.
The Archiveus virus is only the latest in a series of malicious programs used by extortionists to extract cash from victims. Archiveus seems to use some parts of another ransoming virus called Cryzip that was circulating in March 2006.

Ok, I understand that international law and the internet can sometimes be tricky things, but there has to be a way to shutdown companies that do this and put those responsible in jail. I may be missing something here, but it should be a simple matter of "they broke into my computer, stole (or at least made unavailable) my data, thats a crime"
I mean, the whole point of the virus is to send someone money. Just follow it.
Then again, maybe I am missing something.

That is the question. I reckon that the so called companys are nothing more than a web page that links on to another site ect. Still i wonder what types of payment they accept. I doubt that anyone would be stupid enought to use there credit card :) .

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=275461#post903252) by MURACU
That is the question. I reckon that the so called companys are nothing more than a web page that links on to another site ect. Still i wonder what types of payment they accept. I doubt that anyone would be stupid enought to use there credit card :) .

My guess would be that the only payment accepted would be a credit card, and then the credit card would "reused" by the baddies.

any idea how much the 'ransom' is ?

and I for one would NOT use a CC on THOSE sites :p

This virus swaps files found in the "My Documents" folder on Windows


So seeing as i do not use the My Documents folder, have pretty much disabled it's usage on the work boxe's then if i had got infected by this then it would not attack the c:\ d:\ or f:\ directory's where all the good stuff is located?

Whom i am curious as to why the maker of this ransomware only had it lock up the My Documents and not every thing else ?

f2B

people who are less computer friendly put all there stuff in "my documents"... and being they are less computer friendly they tend to do what the screen tells them to do... instead of the other way around...

thats how i rationalize that... any other thoughts??

what "drugs" do you have to buy? and how would you get the password after you bought them?

I've heard of some variants scanning all local drives found on the PC for MS Office docs (Word, Excel) and databases.

I would think that the law enforcement folks could just follow the money trail to find the attacker. I'm sure there's ways to make it harder to do but eventually someone's gonna get the $$ - and that's the one you nab.

Do not panic if your data is hidden by virus writers demanding a ransom.

Just boot to a linux cd and search for the hidden files.

Better yet, update your AV and install a Firewall or use the one that comes with WinXp, even better create a limited account for browsing, or in the victim's case lockdown IE or use another browser that won't get hijacked... :rolleyes:

This is a really stupid idea for making cash from hacking schemes. I know people who make up to £1000 a month with botnets bloated with spyware so getting some one to buy pharmacutical drugs for there documents back is a really shitty idea and people who fall for it are giving them a virgin CC number to validate there online drug purchase so they get there shiznits back but CC when used can be traced so my guess is this wont last long the people behind it should have stuck to what works if they were want to extort money DDoS to online betting shops especially running up to the world cup would bring in a pretty penny ;). Sorry but i cant see this threat going places and even sorrier to the people who has been stung and fell for it as allready mentioned a bootable cd would fix the problem *sighs*

HAHAHAHAHAHAHAHAHAHAHAHA....

So, to stop this thing all I have to do is be gore, and poof my stuff comes back....

This is like a virus holding Bill Gates hostage unless he makes money...

The most amusing thing about this is that this kind of behaviour has happend before, althought those times it was whole firms being attacked, their files locked and ransomed on a one-by-one basis by individual hackers.

That the tactic has been emplyed in a viral form like this was something I expected to happen after hearing of the first occurances of these kind of attaks, although, as is noted in the first post, the password must be contained within the virus to encrypt it in the first place. If RSA had been employed, the victims would have been not-so-lucky.