Antivir Certify – Blackmailing virus attacking audio and video files
I usually do not care about viruses and computer problems, but yesterday I got a very vicious virus. The virus managed to crypt all my audio and video files and courteously asked to go to a webpage where there will be information how to proceed. Just imagine that suddenly my computer turned mute. I went on the webpage and I downloaded an application called activation.exe that asked for a blackmail of 19.53$. The application gave two choices, direct payment by card and PayPal. I used PayPal and sent the money to Pavel Kostenko on firstname.lastname@example.org (PAYPAL *PAKOVELLI). The password that I got was 28087526. The application later made a key that I used to decrypt my audio and video files. It luckily worked.
How the virus works? It targets all the usual audio and video files (mp3, avi, wmv) and crypts them with an extension .CrYpTeD. The extension is connected with Antivir Certify .exe file (HDXOZMES.exe was in my case) file that was in WINDOWS/System32 folder. Another virus file was WINDOWS/Temp/~TMC.tmp. ~TMC.tmp was the blackmailer file that came up on the restart of the computer.
I did not pay the blackmail immediately. When I saw that all my audio and video files got an extension .CrYpTeD I used bulk rename, but the virus manages to cut the start and end of the audio and video files. That is maybe ok for mp3 files that can play like several seconds later and end earlier, but it killed all my Xvid files. I usually make my animations as Xvid avi’s. It was a pay or die situation for the files.
I use videos in my presentations and a virus like this can be devastating. Even if it is not about work, all of my camera videos could have been gone. I have backups of most of them, but restoring an entire folder of tens of GB movies would have taken days.
I hope that my post will help someone who gets in hostage files trouble. I also hope that it will affect any makers of this kind of blackmailing software to stay away from vicious programming.