本帖最后由 zsh3245 于 2016-1-24 13:31 编辑
电脑中了敲诈者病毒,多种文件格式被加密并修改附加尾缀名为*.micro,改回正常尾缀名后这些文档也无法打开,病毒主要针对TXT、图片、视频文件、压缩包之类的文档(但基本保留了OS能正常运行),总之我分析病毒制作者就是想破坏对PC使用者有价值的文档,而且PC所有文件夹里都新产生以下这些文件(病毒已被直接杀除,仅留下以下6个敲诈文档样本):
help_recover_instructions+ito.html
help_recover_instructions+ito.txt
help_recover_instructions+ndd.html
help_recover_instructions+ndd.txt
help_recover_instructions+rvb.html
help_recover_instructions+rvb.txt
当时为了PC运行流畅,未开杀毒,不过中毒后,打开杀毒扫描,也未发现病毒,后来安装了国外的某杀毒软件发现并直接杀除了病毒(详情为:20.01.2016 18.54.12 C:\Users\Administrator\AppData\Roaming\csquxhe45.exe)和手动搜索并删除了近10万个上述6个敲诈文档,记得当时是点击打开了某论坛帖子里外链的国外一个图片展示或免空网盘下载网页,病毒应该是通过网页flash漏洞或网页控件静默下载安装的。
==============================(菜鸟勿点以下内容里的链接)=============================
help_recover_instructions+rvb.txt的内容如下:
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://aynfksddnnfwkd.jockmias.com/13F67EE8DB1478B
2. http://krfdnhfnsai3d.abeleros.com/13F67EE8DB1478B
3. http://aynfksddnnfwkd.jockmias.com/13F67EE8DB1478B
4. https://4nauizsaaopuj3qj.onion.to/13F67EE8DB1478B
5. https://4nauizsaaopuj3qj.tor2web.org/13F67EE8DB1478B
6. https://4nauizsaaopuj3qj.onion.cab/13F67EE8DB1478B
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: 4nauizsaaopuj3qj.onion/13F67EE8DB1478B
4. Follow the instructions on the site.
!!! IMPORTANT INFORMATION:
!!! Your personal pages:
http://aynfksddnnfwkd.jockmias.com/13F67EE8DB1478B
http://krfdnhfnsai3d.abeleros.com/13F67EE8DB1478B
http://aynfksddnnfwkd.jockmias.com/13F67EE8DB1478B
https://4nauizsaaopuj3qj.onion.to/13F67EE8DB1478B
!!! Your personal page in TOR Browser: 4nauizsaaopuj3qj.onion/13F67EE8DB1478B
!!! Your personal identification ID: 13F67EE8DB1478B
11111111111111111111111111111111111111111111111111111
=================================(菜鸟勿点以上内容里的链接)=============================
总结教训为:1、及时升级系统漏洞补丁;2、及时更新杀毒数据库;3、杀毒常开!!!
真心希望360能提供一个(针对被该病毒加密破坏并附加尾缀名*.micro的)文件修复工具造福大家,万分感谢!
|
|
|
|
评论
直达楼层