Ransom Foo Trojan

A friend wrote "[font=Calibri]Somehow, a NASTY virus slinked into my computer and strong encrypted a lot of my files including my photo images. I had 2 external hard drives hooked to my desktop for storage and backup, but had them BOTH connected. The virus infiltrated both of my external hard drives and encrypted a LOT of my files. This virus is called Ransom Foo Trojan."

He is running Windows, which I do not know.  How to rid virus? 
[/font]

Google is a wonderful tool for research on items like this…

http://www.symantec.com/security_respon ... 13-1400-99

Here's one of the links for removing Ransom Foo:



http://www.removalvideos.com/how-do-i-remove-ransom-foohtm-trojan-virus/



If you trust them.

The symantec site has a tab for removal and as well as the general explanation of what it is.

Wow, even though the mallware my be removed by semantic, that doesn't un-encrypt the data. Probably best at this point to recover from offline backup (a good lesson of why everyone needs offline backup) onto a totally new computer, and trash that computer and the hard drives affected. If no offline backup, then pay the ransom and hope they give the key (not removing the mallware, which is probably needed to un-encrypt the data.

Finally, switch to a more secure browser. No browser should execute code like that! Was he using internet explorer?

Then a good reason to switch to a more secure operating system. No operating system should allow user code to muck with the operating system and modify master boot records!

Roger

mclark wrote:Was he using internet explorer?

Another very relevant question, is whether he running an up-to-date anti-virus protection? Apparently this malware has been around since 2009 according to the link above posted by Anthony.

Update:  the virus was Trojan-Ransom.Win32.Dorifel.  It showed up in the Netherlands government 2012.  It encrypts files and photos.  My friend wanted a quick fix and deleted his encrypted photos and reinstalled Windows.  He said he lost about half his photos, but he is a hobbyist and said his early images were so bad they were not worth keeping!  He is a software engineer and builds his own computers.  Not sure if he was using Internet Explorer.

I did research on this virus and you can boot off a flash drive with a program called Kickstart from HitmanPro Malwarebytes, then run the scan and quarantine the problems and finally erase them.  This leaves the encrypted files still encrypted, so Malwarebytes has created a decrypter program.  I'd have gone that route myself.

Personally I am using Firefox as my internet link on one of several computers.  I am running Microsoft Security Essentials.  Windows 7 64 bit, security pack 2.  Fully updated.  I have not had any virus issues in years, but two days ago I got this exact virus amid trying to help my friend, I think via a fake Adobe Reader update.  I heard the hard drive screaming so I pulled the plug on the computer as I could not shut down.  I built the HitmanPro Kickstart flash drive on a different computer and installed it, plugged in the power cord on infected unit, and the war started. I tried booting many different ways but got blocked.  Oddly I was finally able to boot normally after removing the Hitman Kickstart flash drive, but it had been fighting with the virus for about an hour.

Finally I was able to limp to the Windows Desktop.   I saw the machine was not right so I immediately ran a Malwarebytes scan and after an hour it located and removed the virus.  I then ran Windows Security Essentials scan and after two hours it showed I was clean.  I rebooted normally several times to play it safe.  Luckily no files were encrypted.  My theory on not getting files encrypted is I am running 64 bit and the virus appears to be 32 bit as per its name.  Also, (not sure if this is correct), I unplugged the computer as soon as I knew something was amiss, so this may have stopped the infection, though unplugging can wreck a computer I have heard.  I do not know.

Phew!  What a week.

Very SCARY!  So, if you are infected sounds like you will most likely need a new system.  Your off site back up of images will be safe but you will have to build a whole new computer then reload your images from the safety back up?  I didn't see a clear way to clean the infected system from any of the links provided.