13/12/2012
08:52

C.R.A.M. analyzes Trojan.Win32.DocEncrypter.A, it asks for a 200$ ransom!


Trojan.Win32.DocEncrypter.A asks for a ransom just like the numerous Trojan.Win32.FakeGDF variants that hit the net recently! It'll take from 200$ to 300$ to "free" your pc!

The malware known as Trojan.Win32.DocEncrypter.A presents itself as a full-screen window that asks for a very high ransom: 200$ for US residents and 300$ for users which live in other countries.

Trojan.Win32.DocEncrypter.A
Click per ingrandire

This kind of malware tipically shows itself as a full-screen borderless window that, just like most versions of FakeGDF, block inputs and prevent the user from doing other things.
On top of that, it also deals consistent damage to the system, the virus:

- Crypts all text files and images (.rtf, .txt, .chm, .jpg and other common formats) inside the hard drive using an unknown algorithm, transforming them into useless *.block files. After crypting files it creates a text file named "WARNING.TXT" in every folder;

- Disables the windows key standard usage and some start menu voices, modifying some Windows registry keys; it is possible to fix these functionalities by using Vir.IT eXplorer's (Lite or PRO) tool "Fix IE + windows settings", since version 7.3.4;

- Disable safe boot.

The following is the content of "WARNING.TXT" file:

Your identification number: 3551
Your IP address: 151.51.143.252

WARNING! INFORMATION MESSAGE
YOUR COMPUTER IS BLOCKED.

If you see this text its means that you try to deactivate our programm. If you want unblock your files please contact us via email payandbeunblocked@yahoo.com.

All your documents, text files and databases are securely encrypted with AES 256.
You can unlock PC and files by paying a fine of 200 USD (USA and Canada) / 300 USD (via Western Union to other Countries)

You can select different payment methods:
1. With Moneypak prepaid code in amount of 300 USD.
2. With MoneyGram express prepaid code in amount of 200 USD.
3. With Western Union Transfer in amount of 300 USD. *

* if you want to pay with Western union you may do request payment information by email payandbeunblocked@yahoo.com

STEP 1: If files are important to you and you are ready to pay then buy prepaid code for the amount of $200 at the nearest store.

STEP 2: Choose payment method then enter your code and your valid email address in the fields below.
 Then click PAY and you will be prompted to enter the unlock code. OR Send an e-mail at PAYANDBEUNBLOCKED@YAHOO.COM. Indicate your ID in the message title and provide prepaid code.

STEP 3: Check your e-mail. In 24 hours we will send your Unlock code once payment is verified. Then enter your unlock code that you received by email from us and click UNLOCK. Your computer will roll back to the ordinary state.

WARNING!!!: You have 72 hours for pay. As soon as 72 hours elapse, the possibility to pay the fine expires, and your files will be securely erased with U.S. DoD 5220.22-M(ECE) wipe algorithm.

Q: How can I make sure that you can really decipher my files?
A: You can send one ciphered file on email PAYANDBEUNBLOCKED@YAHOO.COM (Indicate your ID and IP address in the message title), in the response message you receive the deciphered file.

Q: What if I don’t have possibility to purchase prepaid code?
A: You can send money in amount of 300 USD by WesternUnion as alternative option.

Q: Where can I purchase a MoneyPak?
A: MoneyPak can be purchased at thousands of stores nationwide, including major retailers such as Wal-Mart, Walgreens, CVS/pharmacy, Rite Aid, Kmart, Kroger and Meijer.

Q: Where can I purchase a MoneyGram?
A: MoneyGram can be purchased at thousands of stores nationwide, including major retailers such as Cumberland farms., CVS/pharmacy, Speedway.

Q: How do I buy a MoneyPak at the store?
A: Pick up a MoneyPak from the Prepaid Product Section or Green Dot display and take it to the register. The cashier will collect your cash and load it onto the MoneyPak.

TGSoft remembers to all Vir.IT eXplorer PRO users that have been infected by this kind of malware that there is a dedicated assistance service active from Monday to Friday from 9:00 to 12:30 and from 14:30 to 18:30 to get your PC functionalities back but not your files.
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: