New Infection Tough To Beat 1

[sennister]

My Father-In-Law had his laptop infected a few days ago. He sent the laptop to me to take a look at it. Before he did this he had someone else look at it and they said reimage the system and that nothing could be done. I have a spare machine with a SATA HDD Dock that I use for cleaning machines so I pulled the drive from the laptop and mounted it to the spare machine not on my network. Here is what I discovered.

With the exception of the Windows Directory and most of the Program Files directory, every file has been renamed GODdidThisXXXX. The XXXX is a unique HEX number. The directory structure is intact but every file is replaced. No files have extensions and they are all exactly 98KB in size. No matter what the original file size was.

I ran a fully updated version of malware bytes on the volume and it found nothing. I ran a virus scan and it also came back clean. Since the windows files were intact I tried to put the HDD back in the laptop to boot it up expecting to see some app pop up trying to extort money from him to decrypt the hard drive. I couldn't see any strange programs on the computer. I ran Malware bytes again on the computer with it booted up. This also came back clean.

It is possible that the computer has been partially cleaned by the other person but I really don't know what the computer looked liked when he got it and what he did.

I uploaded a couple samples to

http://www.virustotal.com

and they all checked out clean. Not sure what else to try on this system before just dumping it. I am shocked that is seems to boot up fine and run fine with everything in the Users folders messed up.

Any ideas?

Thanks

 

[goombawaho]

"every file has been renamed GODdidThisXXXX." Apparently GOD is not happy with this PC. Even if the machine is clean of malware, you are basically shafted if this is the status of all your file names.

No anti-malware can rename those files back to what they were and you certainly don't know the names they should be even if you wanted to try to manually rename them.

ABORT THE MISSION - reload.

Just for kicks though, if you want to see if the machine is clean and/or what might be bugging it, boot to safe mode and run Combofix on it. Copy it off a memory stick after downloading from another machine. Get it here.

Google: combofix bleeping computer

 

[sennister]

Thanks goombawaho. I pretty much know that this system is hosed unless I can identify what did this. Maybe just maybe there is a way to undo it. Since I wasn't the first one to touch it any viruses that were on there are long since cleaned.

If I were to guess it is one of those viruses that encrypts all your data and then says pay us $50 via credit card to get your data back. Since that part of the app is likely gone there may not be much hope.

I'm not going to do anything with it today. There are Turkeys to eat. I'll take a look at combofix this weekend after wake up.

Thanks again.

 

[IPGuru]

If you are now certain that the disk is screwed you may want to try something like photorec to see if there is any recoverable data.

It cans the disc directly & does not pay any attention to the directory structure & despite the name recognises many common formats not just photos.


I do not Have A.D.D. im just easily, Hey look a Squirrel!

 

[flyboytim]

This reminds me of the old (Pre version 6) MS-DOS RECOVER command. This would read files, or even whole disks, saving each sequential sector as FILEnnnn.REC of 512 bytes, where nnnn starts at 0001. Bad sectors found this way were marked as bad, and not read. A forerunner of CHKDSK.
Not very user friendly, but when floppy disks held only a few hundred Kb, it was possible to manually stitch together broken files in this way. (However, in 1988 when I used the command RECOVER C:\*.* the results were not very recoverable!)

Replace "FILEnnnn.REC" with "GODdidThisxxxx" where nnnn are decimal integers and xxxx are hexadecimals would seem a trivial programming task.

 

[goombawaho]

He didn't mention that the data that was zapped was important, but the thing is that the data was not deleted or wiped, it was just renamed, which makes recovery harder.

I searched on the interwebz and I didn't find anyone else having this issue - nothing matched GodDidThis, except a bunch of religious sites.

 

[sennister]

Well I thought I would post a postmortem report to wrap this up. I never was able to ID what zapped the data. As for important, not life or death but a lot of family photos. Since he is family that means some of the photos were of me and my family. So there was a little more motivation to try and see what I could recover. After doing lots of digging in this over the weekend I think I have recovered what is recoverable. I used EASEUS to do some deep scans of the disk. This provided some success. I would say I was able to recover about 30% of what was lost. Not perfect but better than nothing. Basically his data was marked for deletion and some of it was recoverable. Had I gotten it before someone else looked at it I may have gotten a little more of the data. It is hard to say.

Early on I did lots of searches for what this could be and like goombawaho, found no mention of anything like this except the religious references.

Whatever it was that zapped his machine, it wasn't pretty. Well I have been telling him and my father that they should consider online backup like what I do. I have been using Mozy for a year or so now and have been happy. I know others that use Carbonite and have been happy with that as well. Never needed to do a restore but it is a nice safety net. In this case it would have saved his data as he could have reimaged the computer and pulled the data from Mozy. Of course it would have tried to backup the GODdidThisXXXX data as well but the originals would have been retained for 30 days.

 

[goombawaho]

What's more odd is that most malware these days really doesn't try to kill your data. It just tries to aggravate you into purchasing some scam product.

Those were the old days when viruses deleted all your word files or whatever. The new motivation is profit-oriented ripoffs or re-directions.

 

[2ffat]

Those were the old days when viruses deleted all your word files or whatever.

Ah yes, the good old days.

James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]

 

[goombawaho]

In a way, today's malware is "better" because all it tries to do is:

1. Sell you some bogus product and possibly use your credit card after that.
2. Redirect you to some web site
3. Steal your identity
4. Aggravate you with pop-ups
5. Shut off your internet connection
6. Etc.

But, at least your precious files are not killed off. I'm actually being serious. Who cares about the computer itself if pictures of your ex-girlfriends are gone forever or your departed dog, etc.

The old malware was like smashing your windshield with a rock. The new malware is like writing in dust on your windshield something like "you so ugly...."

Except for that whole identity theft thing - I love the new malware.

 

[papadba]

Never needed to do a restore but it is a nice safety net.

As i mention to clients with scary regularity - if backup media from some process has not been successfully restored and successsfully used, it is not a backup - it is only some media with unverified content. . . Any time a backup process is modified, the backup should be tested to ensure that nothing was lost in the change.

Suggest some/all of the backup be restored to a flash drive and verified. Possibly more frustrating than having no backup is having a backup that someone depends on that cannot be used. . .

 

[goombawaho]

Amen brother. Too many people have the "set it and forget it attitude" and they just trust that it is working and is restorable.

I even recommend that you test about every couple months - a small restore to see that you can get your data off the media.

This was especially true with tape backup, because tapes tend to wear out and if you didn't have a tape replacement schedule, you might have backup on tapes that are on the verge of being useless.

 

[BadBigBen]

The directory structure is intact but every file is replaced. No files have extensions and they are all exactly 98KB in size. No matter what the original file size was.

sounds like an encryption, and seeing that no AV or AM detects it, leads me to surmise that the malware code resides not in the OS, but gets loaded before the OS itself. Somewhat of a BOOTSTRAP like procedure. but to say more on the subject at hand, I would need to take a closer look at the drive structure (not the FS structure), e.g. through a Sector Editor...

before you decide to reload the laptop, could I ask you to upload one or two of the files (98kb sized) to RapidShare or Badongo... I would like to take a look at them...

Cryptovirology a Wikipedia article...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[goombawaho]

That's a good thought seeing as I couldn't find anything matching this type of "malware" on the internet.

 

[edfair]

I am curious to know if the files themselves were modified to fit into the sizes noted or whether it could have been just the directories that were overwritten without the data structure being touched.

Ed Fair
Give the wrong symptoms, get the wrong solutions.

 

[IPGuru]

That is why I suggested photo rec
it locates the data on the disc & does not rely on the data of the directory
it will even recover data from a disk that has the partition table removed & is not just limited to fat or NTFS file systems.

I do not Have A.D.D. im just easily, Hey look a Squirrel!