Monday, July 27, 2015

Profiles in PC Poisoning, Part 3

In the previous post, I detailed the removal of the CTB-Locker Trojan from my father's computer with Malwarebytes Anti-Malware. Up to this point I haven't been very specific about the damage that CTB-Locker left in its wake - I'll get into that today.

Encryption prototype

CTB-Locker encrypted hundreds of files on my father's computer. For example, CTB-Locker converted a Byron.wps file to a file.

The Byron.wps document was created by the word processor module of Microsoft Works, which was discontinued by Microsoft several years ago. Besides Microsoft Works, both Microsoft Word and Notepad can open a .wps file; in the latter case most of the file will be unintelligible but the original .wps content will be present therein and can be extracted if desired.

Now, what about the file? As it happens, there is a recognized .xyz file format, but it has nothing to do with word processing. An attempt to open with Microsoft Works throws the following error:
Works cannot open "C:\Documents and Settings\Owner\Desktop\". The file may be in use by another application, the file format may not be supported by any of the installed converters, or the file may be corrupt.
The file can be opened with Microsoft Word or Notepad but the content is complete gobbledygook in both cases. (BTW, subtracting the .xyz extension from the file name does not give a readable file, in case you were wondering.)

C: damage

In the computer's Local Disk (C:) volume, CTB-Locker mainly targeted two folders:
(1) C:\Documents and Settings\Owner\My Documents\
Most of the affected files in the My Documents\ folder were in fact doubly encrypted, as detailed below.
(2) C:\Program Files\

My Documents\

• 170 .wps documents were converted to 153 files, 10 files, and 7 files. Also, a .docx document was converted to a file and 4 .txt documents were converted to 2 files and 2 files.

.jkffbil? .bqtuzhl? What seems to have happened is the computer was initially hit with two different CTB-Locker infections and then after applying that video procedure to the computer a remnant of one or both infections (or maybe even a third, separate infection) later reared its ugly head and .xyz-ed (1) the .jkffbil-ed and .bqtuzhl-ed files and (2) whatever was missed the first time around - at least these are the conclusions I draw from inspecting the Created:/Modified:/Accessed: fields on the General tab of the Properties pane for a variety of encrypted and unencrypted files.

• 100 .jpg images, including all those in the My Pictures\ subfolder, were converted to 88 files, 7 files, and 5 files.

• 25 .pdf files were converted to files.

• 4 .zip packages were converted to 2 files and 2 files.

• In the My Music\ subfolder, 2 .itl iTunes libraries were converted to files and 2 .itdb iTunes databases were converted to files.

• In the My Videos\ subfolder, a .flv video was converted to a file.

• Lastly and least, there are 338 files and 4 files in RegCure Pro\ and SpeedyPC\ subfolders that really shouldn't be on my father's computer in the first place.

Program Files\

• 384 files were converted to 272 .jkffbil files and 112 .bqtuzhl files; all of these files are singly encrypted. Affected file formats: .cer, .doc, .eps, .jpg, .js, .mdf, .pdf, .ppt, .rtf, .txt, .xls, and .zip.


• There are 9 encrypted files in the C:\Documents and Settings\Owner\Desktop\ folder and 20 encrypted files in the hidden C:\Documents and Settings\Owner\Application Data\ and C:\Documents and Settings\Owner\Templates\ folders. Affected file formats: .air, .dbf, .doc, .docx, .jpg, .js, .pdf, .ppt, .rtf, .txt, .wb2, .wps, .xls, .xlsx, and .zip.

• Outside of the C:\Documents and Settings\Owner\ folder, 2 .wma audio clips were converted to files and 4 .jpg images were converted to 2 files and 2 files in the C:\Documents and Settings\All Users\Shared Documents\ folder.

D: damage

Twice in the past - about five months ago and in 2012 - the Address Book\, Desktop\, Favorites\, and My Documents\ subfolders of the C:\Documents and Settings\Owner\ folder were copied to the computer's Recovery (D:) volume. Without exception, all of the encrypted C:\Documents and Settings\Owner\Desktop\ and C:\Documents and Settings\Owner\My Documents\ files were also encrypted in the D: volume although not necessarily in the same way, e.g., some of the files appear as files and vice versa.


• The following file types were left alone: .bak backups, .bmp images, .dat data files, .db databases, .dll libraries, .exe executables, .htm and .html and .xml Web documents, .mp3 audio files, .wav audio files, and .xlr Microsoft Works spreadsheets (not a complete list).

• Gratifyingly, the C:\WINDOWS\ folder was left untouched.

In search of a key

I found a "How to remove CTB Locker Virus" article whose Stage 3 : Unlocking files that were encrypted by CTB Locker section suggests that a Panda Ransomware Decrypt program might be able to decrypt CTB-Locker-encrypted files and provides a link thereto. My attempts to decrypt a small group of encrypted files with Panda Ransomware Decrypt are not worth discussing to any extent: suffice it to say that they didn't work.

To my understanding, file decryption tools are target-specific, i.e., a program that unlocks files encrypted by a specific type of ransomware will generally be useless for files encrypted by other types of ransomware. As of this writing and as far as I am aware, no one has written a program that can decrypt files encrypted by CTB-Locker.

Subsequently, I decided to see if I could re-obtain the affected data on my father's computer via a file recovery approach, which did prove somewhat successful, and I'll tell you about it in the following entry.

No comments:

Post a Comment