A forum for reverse engineering, OS internals and malware analysis
emc74 wrote:Can a more recent file be posted so that I can download and attempt a recovery? Can I check that following the download I just execute the file?It does not work that way, same question answered here:
Every1is= wrote:Maybe a dumb question, but I assume it will: does it search for the mask system wide?If the backup drive is mounted as a drive letter, then yes, CryptoLocker will scan it for files to encrypt. As for the encrypted files, I can tell you that people have tried to recover using a file recovery program and were unable to do so. Not sure if they are scrubbing or other method being used.
A lot of people will backup (ie: just make a copy) to a permanently attached USB drive or network drive. Be it via a network path or a windows mapped drive letter or IP/dirname etc.
Are those in danger as well?
Grinler wrote:Lot's of AV vendors are reporting that this is being spread via exploit kits as well. Anyone ever seen a sample from an exploit kit?0388.exe was recovered from a PC that was infected via Neutrino EK, it is only sometimes that I can recover the history though so it is hard to know for sure how often. Most of them that we find have ZeroAccess so I suspect sometimes PPI via ZeroAccess and sometimes through EK, though I could be wrong here.
