A friend just sent me this:

"I also have a portable hard disk and at least one USB stick which may be infected with an unknown trojan which resists both Norton and McAfee.... it replaces file names in Word and sometimes pdfs or Excel files with a Chinese looking symbol and a future date as late as 2046. They then become impossible to read."

I haven't managed to establish yet whether her laptop (presumably the host for these devices) is also infected - but I'd guess it is.

Sounds like a ransomware virus to me? Though she hasn't mentioned any demands. My assumption is that without paying for a decryption key (and the criminals 'honouring' their offer) the affected files are simply gone. But how to attempt to 'treat' the devices, and host?

I'm out of touch with how things like this work these days. Is it safe to extract the disks and hook them up to a machine of my own, to run antimalware on them, or do manual investigation with the likes of Autoruns and Process Explorer? Any advice welcomed!


--

Phil, London

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-01-29 18:31, Philip Herlihy wrote:

A friend just sent me this:

"I also have a portable hard disk and at least one USB stick which may be infected with an unknown trojan which resists both Norton and McAfee.... it replaces file names in Word and sometimes pdfs or Excel files with a Chinese looking symbol and a future date as late as 2046. They then become impossible to read."

I haven't managed to establish yet whether her laptop (presumably the host for
these devices) is also infected - but I'd guess it is.

If files on the host machine are not altered, then the malware is
probably not active, for some reason.

Sounds like a ransomware virus to me? Though she hasn't mentioned any demands.
My assumption is that without paying for a decryption key (and the criminals 'honouring' their offer) the affected files are simply gone. But how to attempt to 'treat' the devices, and host?

I'm out of touch with how things like this work these days. Is it safe to extract the disks and hook them up to a machine of my own, to run antimalware on them, or do manual investigation with the likes of Autoruns and Process Explorer? Any advice welcomed!

In theory, as long as you do not execute anything in there, you should
be safe.

I do not remember if (standard) USB media can have autoexec capabilities.

Me, I would examine the disk from Linux first.


But non standard usb media can be perverted and do things. That means a
very bad guy is involved with "resources".


--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <MPG.3e40afaac0764f49989a40@news.eternal-september.org>, Philip Herlihy wrote...

A friend just sent me this:

"I also have a portable hard disk and at least one USB stick which may be infected with an unknown trojan which resists both Norton and McAfee.... it replaces file names in Word and sometimes pdfs or Excel files with a Chinese looking symbol and a future date as late as 2046. They then become impossible to read."

I haven't managed to establish yet whether her laptop (presumably the host for
these devices) is also infected - but I'd guess it is.

Sounds like a ransomware virus to me? Though she hasn't mentioned any demands.
My assumption is that without paying for a decryption key (and the criminals 'honouring' their offer) the affected files are simply gone. But how to attempt to 'treat' the devices, and host?

I'm out of touch with how things like this work these days. Is it safe to extract the disks and hook them up to a machine of my own, to run antimalware on them, or do manual investigation with the likes of Autoruns and Process Explorer? Any advice welcomed!

I've been ruminating over how I might approach this. I'm concerned that the money to be made from ransomware means a lot of investment in obscure techniques is likely to have been made, and I'm by no means confident I know enough about recent "virus technology" to win in the inevitable battle. This is what I've come up with so far.

I could use a Windows 10 "Quick Assist" connection (based on Remote Desktop) to view and interact with the machine without risking my own (a very big concern!). I could turn off Autoplay for external devices, and assess the laptop before connecting any suspect devices. I could check first that the problem isn't simply one of file/disk corruption, then run a boot-time scan from any installed Antivirus (most have this now). Malwarebytes has a free "rootkit remover" which might be worth a try.

Otherwise, I'd want to mount the laptop's disk onto a known-healthy host - without infecting that too. One possibility might be to swap out the existing disk in my system for a new SSD, install a fresh copy of Windows 10 and use that as an environment which could be disposable if things go wrong.

Both Norton and McAffe offer paid "incident" services (modest cost) which involve a technician (who might well know more or might well know less than I do!) connecting remotely. Any experience out there?

Finally, if the host can be protected, I could image the target disk using Acronis True Image and see what files can be recovered from the "Explore" facility within Acronis.

So - any and all comments and suggestions welcome!

--

Phil, London

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Philip Herlihy wrote on 1/29/2023 12:31 PM:

A friend just sent me this:

"I also have a portable hard disk and at least one USB stick which may be infected with an unknown trojan which resists both Norton and McAfee.... it replaces file names in Word and sometimes pdfs or Excel files with a Chinese looking symbol and a future date as late as 2046. They then become impossible to read."

I haven't managed to establish yet whether her laptop (presumably the host for
these devices) is also infected - but I'd guess it is.

Sounds like a ransomware virus to me? Though she hasn't mentioned any demands.
My assumption is that without paying for a decryption key (and the criminals 'honouring' their offer) the affected files are simply gone. But how to attempt to 'treat' the devices, and host?

I'm out of touch with how things like this work these days. Is it safe to extract the disks and hook them up to a machine of my own, to run antimalware on them, or do manual investigation with the likes of Autoruns and Process Explorer? Any advice welcomed!

It could also mean the external drives are corrupted, especially when a
woman was the owner of the laptop. It may sound sexist but I know many
women would just pull the external USB connector out at will without
telling windows to "eject" the drive.

The reason you see wrong file date and "Chinese looking characters" and
can't even open the file is because the file is corrupted. You can use
Windows to scan the drive for errors.

Right-click on the drive icon. Choose "Properties". Choose "Tools".
Choose "Check".

Hope it helps.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <t1piajx9ip.ln2@Telcontar.valinor>, Carlos E.R. wrote...

On 2023-01-29 18:31, Philip Herlihy wrote:

A friend just sent me this:

"I also have a portable hard disk and at least one USB stick which may be infected with an unknown trojan which resists both Norton and McAfee.... it replaces file names in Word and sometimes pdfs or Excel files with a Chinese
looking symbol and a future date as late as 2046. They then become impossible
to read."

I haven't managed to establish yet whether her laptop (presumably the host for
these devices) is also infected - but I'd guess it is.

If files on the host machine are not altered, then the malware is
probably not active, for some reason.

Sounds like a ransomware virus to me? Though she hasn't mentioned any demands.
My assumption is that without paying for a decryption key (and the criminals
'honouring' their offer) the affected files are simply gone. But how to attempt to 'treat' the devices, and host?

I'm out of touch with how things like this work these days. Is it safe to extract the disks and hook them up to a machine of my own, to run antimalware
on them, or do manual investigation with the likes of Autoruns and Process Explorer? Any advice welcomed!

In theory, as long as you do not execute anything in there, you should
be safe.

I do not remember if (standard) USB media can have autoexec capabilities.

Me, I would examine the disk from Linux first.

But non standard usb media can be perverted and do things. That means a
very bad guy is involved with "resources".

Thanks for this. I don't have a Linux environment available, and wouldn't have time currently to learn how to use it with any fluency!

Yes, standard USB media can contain an autorun.inf file which (if Autorun is enabled on the host) can run whatever it points to. But you're right - malware has come a long way in recent years, and you're likely to be up against very smart people with a considerable financial interest in outsmarting you. I haven't had to deal with a virus infection for some years, so I'm well out-of- date.

--

Phil, London

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Philip Herlihy wrote:

A friend just sent me this:

"I also have a portable hard disk and at least one USB stick which may be infected with an unknown trojan which resists both Norton and McAfee.... it replaces file names in Word and sometimes pdfs or Excel files with a Chinese looking symbol and a future date as late as 2046. They then become impossible to read."

I haven't managed to establish yet whether her laptop (presumably the host for
these devices) is also infected - but I'd guess it is.

Sounds like a ransomware virus to me? Though she hasn't mentioned any demands.
My assumption is that without paying for a decryption key (and the criminals 'honouring' their offer) the affected files are simply gone. But how to attempt to 'treat' the devices, and host?

I'm out of touch with how things like this work these days. Is it safe to extract the disks and hook them up to a machine of my own, to run antimalware on them, or do manual investigation with the likes of Autoruns and Process Explorer? Any advice welcomed!

Could be failing storage media, too.

Kaspersky makes a Linux based virus scanner that you can put on a
bootable USB stick or CD. It is simple to operate and use. https://www.kaspersky.com/downloads/free-rescue-disk

Trend Micro, and many of the others, can online scan. https://www.trendmicro.com/en_us/forHome/products/housecall.html

Make the Linux boot USB on a clean comp then use it on her laptop.
Connect to Trend with her laptop.
If it is truly ransomware then the encrypted data is lost.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 1/29/2023 12:31 PM, Philip Herlihy wrote:

A friend just sent me this:

"I also have a portable hard disk and at least one USB stick which may be infected with an unknown trojan which resists both Norton and McAfee.... it replaces file names in Word and sometimes pdfs or Excel files with a Chinese looking symbol and a future date as late as 2046. They then become impossible to read."

I haven't managed to establish yet whether her laptop (presumably the host for
these devices) is also infected - but I'd guess it is.

Sounds like a ransomware virus to me? Though she hasn't mentioned any demands.
My assumption is that without paying for a decryption key (and the criminals 'honouring' their offer) the affected files are simply gone. But how to attempt to 'treat' the devices, and host?

I'm out of touch with how things like this work these days. Is it safe to extract the disks and hook them up to a machine of my own, to run antimalware on them, or do manual investigation with the likes of Autoruns and Process Explorer? Any advice welcomed!

Paste the Chinese character into

translate.google.com

and tell us what character that equates to.

We need that to search for a name for your pest.

Alternately, take a picture of the character with a
digital camera, to provide some isolation between
the pest materials and your functional computers.

*******

There are two possibilities:

ransomware
wiper

Also, be very careful as to what equipment you connect
the laptop to. These things are designed to spread over
networks, in order to decimate every computer in the room.

A wiper is a ransomware, where the objective is destruction
and not the payment of a ransom. It just ruins your files.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2023-01-29 20:30, Paul in Houston TX wrote:

Philip Herlihy wrote:

A friend just sent me this:

Could be failing storage media, too.

Kaspersky makes a Linux based virus scanner that you can put on a
bootable USB stick or CD.  It is simple to operate and use. https://www.kaspersky.com/downloads/free-rescue-disk

This would be a good idea.

Trend Micro, and many of the others, can online scan. https://www.trendmicro.com/en_us/forHome/products/housecall.html

Make the Linux boot USB on a clean comp then use it on her laptop.
Connect to Trend with her laptop.
If it is truly ransomware then the encrypted data is lost.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <h_yBL.2316673$pI23.2023664@fx07.ams1>, =?UTF-8?B? TWlnaHR54pyFIFdhbm5hYmXinIU=?= <@.> wrote...

Philip Herlihy wrote on 1/29/2023 12:31 PM:

A friend just sent me this:

"I also have a portable hard disk and at least one USB stick which may be infected with an unknown trojan which resists both Norton and McAfee.... it replaces file names in Word and sometimes pdfs or Excel files with a Chinese
looking symbol and a future date as late as 2046. They then become impossible
to read."

I haven't managed to establish yet whether her laptop (presumably the host for
these devices) is also infected - but I'd guess it is.

Sounds like a ransomware virus to me? Though she hasn't mentioned any demands.
My assumption is that without paying for a decryption key (and the criminals
'honouring' their offer) the affected files are simply gone. But how to attempt to 'treat' the devices, and host?

I'm out of touch with how things like this work these days. Is it safe to extract the disks and hook them up to a machine of my own, to run antimalware
on them, or do manual investigation with the likes of Autoruns and Process Explorer? Any advice welcomed!

It could also mean the external drives are corrupted, especially when a
woman was the owner of the laptop. It may sound sexist but I know many
women would just pull the external USB connector out at will without
telling windows to "eject" the drive.

The reason you see wrong file date and "Chinese looking characters" and
can't even open the file is because the file is corrupted. You can use Windows to scan the drive for errors.

Right-click on the drive icon. Choose "Properties". Choose "Tools".
Choose "Check".

Hope it helps.

Thanks for this - already in the plan!

--

Phil, London

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <tr6lj6$2tnbi$1@dont-email.me>, Paul wrote...

On 1/29/2023 12:31 PM, Philip Herlihy wrote:

A friend just sent me this:

"I also have a portable hard disk and at least one USB stick which may be infected with an unknown trojan which resists both Norton and McAfee.... it replaces file names in Word and sometimes pdfs or Excel files with a Chinese
looking symbol and a future date as late as 2046. They then become impossible
to read."

I haven't managed to establish yet whether her laptop (presumably the host for
these devices) is also infected - but I'd guess it is.

Sounds like a ransomware virus to me? Though she hasn't mentioned any demands.
My assumption is that without paying for a decryption key (and the criminals
'honouring' their offer) the affected files are simply gone. But how to attempt to 'treat' the devices, and host?

I'm out of touch with how things like this work these days. Is it safe to extract the disks and hook them up to a machine of my own, to run antimalware
on them, or do manual investigation with the likes of Autoruns and Process Explorer? Any advice welcomed!

Paste the Chinese character into

translate.google.com

and tell us what character that equates to.

We need that to search for a name for your pest.

Alternately, take a picture of the character with a
digital camera, to provide some isolation between
the pest materials and your functional computers.

*******

There are two possibilities:

ransomware
wiper

Also, be very careful as to what equipment you connect
the laptop to. These things are designed to spread over
networks, in order to decimate every computer in the room.

A wiper is a ransomware, where the objective is destruction
and not the payment of a ransom. It just ruins your files.

Paul

I should get access towards the end of the week, so I'll do just that - thanks!

--

Phil, London

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Philip Herlihy wrote:

I could use a Windows 10 "Quick Assist" connection

One niggle with quick assist, is that anything you do which raises a UAC doalig, will block you session until your friend enters their admin
credentials (or just hits "yes" if they are an admin, if they are an
admin the potential damage done may be greater)

without risking my own

yes quick asist provides no file copying, not even clipboard pasting,
which is good in this case to not open your machine to infection.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 29 Jan 2023 17:31:30 -0000, Philip Herlihy <PhillipHerlihy@SlashDevNull.invalid> wrote:

A friend just sent me this:

"I also have a portable hard disk and at least one USB stick which may be >infected with an unknown trojan which resists both Norton and McAfee.... it >replaces file names in Word and sometimes pdfs or Excel files with a Chinese >looking symbol and a future date as late as 2046. They then become impossible >to read."

I haven't managed to establish yet whether her laptop (presumably the host for
these devices) is also infected - but I'd guess it is.

Sounds like a ransomware virus to me? Though she hasn't mentioned any demands.
My assumption is that without paying for a decryption key (and the criminals >'honouring' their offer) the affected files are simply gone. But how to >attempt to 'treat' the devices, and host?

Can the renamed files be opened with Word, Excel, or a pdf reader?

I'm out of touch with how things like this work these days. Is it safe to >extract the disks and hook them up to a machine of my own, to run antimalware >on them, or do manual investigation with the likes of Autoruns and Process >Explorer? Any advice welcomed!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <n03gtht0sd2qlnsfef77m4odrh88ous9jt@4ax.com>, Ken Blake wrote...

On Sun, 29 Jan 2023 17:31:30 -0000, Philip Herlihy <PhillipHerlihy@SlashDevNull.invalid> wrote:

A friend just sent me this:

"I also have a portable hard disk and at least one USB stick which may be >infected with an unknown trojan which resists both Norton and McAfee.... it >replaces file names in Word and sometimes pdfs or Excel files with a Chinese
looking symbol and a future date as late as 2046. They then become impossible
to read."

I haven't managed to establish yet whether her laptop (presumably the host for
these devices) is also infected - but I'd guess it is.

Sounds like a ransomware virus to me? Though she hasn't mentioned any demands.
My assumption is that without paying for a decryption key (and the criminals >'honouring' their offer) the affected files are simply gone. But how to >attempt to 'treat' the devices, and host?

Can the renamed files be opened with Word, Excel, or a pdf reader?

I'm out of touch with how things like this work these days. Is it safe to >extract the disks and hook them up to a machine of my own, to run antimalware
on them, or do manual investigation with the likes of Autoruns and Process >Explorer? Any advice welcomed!

Good thought - sometimes a file can be opened by navigating from within the expected app, while double-clicking the file doesn't work.

--

Phil, London

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <k3pu8dFucr7U1@mid.individual.net>, Andy Burns wrote...

Philip Herlihy wrote:

I could use a Windows 10 "Quick Assist" connection

One niggle with quick assist, is that anything you do which raises a UAC doalig, will block you session until your friend enters their admin credentials (or just hits "yes" if they are an admin, if they are an
admin the potential damage done may be greater)

Agreed! Though I can see why that's done.

--

Phil, London

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)