Thanks for supplying that information. I asked because, as I said, each new version of this ransomware introduces some additional features. I've looked at the analyses of the previous versions and I don't see this behaviour there so it's likely to have been added for this release.
If simply renaming the files isn't working my guess is that a registry entry has been added or modified to scramble the file names. I'll try to get one of the McAfee techs to have a look at this to determine what that registry entry might be. In the meantime I'll keep looking elsewhere for other reports - someone may already have found the answer. If you find anything on the Net before I do can you post the information here? That will help the others.
I'll report back as soon as I've found anything relevant.
Thanks for replying Haydon. I think you're correct in that this is a very new string; there's not much anywhere about it, in fact here is the first place I've seen someone mention it after googling for hours. I would hope it's a simple case of deleting/modifying a reg entry and that it ihasn't scrambled these files for good. I will keep looking and let you know. I also have someone else looking into this (without success thus far).
When you try to rename it back to file.txt and open it it just comes out all jumbled
I only realised that this might be significant after I posted my reply, and while I was describing the symptoms for the tech team.
If you mean that the file contents are scrambled that implies some file encryption has been carried out, which complicates things quite a lot. There was a similar case a couple of weeks ago (a different strain of ransomware) where Dr. Web came up with a decryption solution that had to be applied on a case-by-case basis. The decryption tool required a number to be supplied as a parameter but (as some users found when they jumped the gun and ran the fix without asking) the ransomware was being modified on a regular basis and the encryption key used was different. They ended up with a load of unrecoverable files.
I'm waiting for a response from the techs. It doesn't always come at once (different time zones, depends what else they're working on). They may need an example of a file for analysis - preferably something where the contents are known, or can be inferred, like a system log file or McAfee log file. Then they should be able to work out the encryption method.
Of course, if I have misunderstood and the files aren't encrypted then fixing the problem becomes a little easier.
Edit - Whatever I can learn about the West Yorkshire Police variant will be added to the blog entry about this ransomware. I'm also wondering what additional malware gets downloaded onto your system : something else seems to get detected by Malwarebytes but I don't know what it is yet.Message was edited by: Hayton on 01/05/12 15:08:44 IST
This Virus have updated most of files but it does not corrupt those files whose name starts with wild character (i.e ~$Grand Heritage Price LIst.xlsx) and also it does not impact files with dot(.) in the name (i.e UserData-grizzlyvidyalaya.com.xlsx). I can also send you few files before and after virus attack for analysis. Please let me know.
Thanks for the help
Thanks for the feedback. First response from one of the techs is below
encryption techniques are hard to counter.. its usually a system level modification
He's asking in his department to see if anyone there has encryption/decryption expertise. That's not something most techs have experience with, so I hope he can find someone. If he can't, I'll have to see if Dr. Web or one of the specialist forums can help you.
Not good news, I'm afraid. Had a note from one of the other mods letting me know that one of the techs said
Right now the focus is on adding generic detection to detect these variants. There is nothing being done on creating a decryption tool yet.
I'll have to look elsewhere for someone who can help you, if the files really are encrypted. If nit2k has an example of a file before and after the WYP infection it should though be possible to get someone to check them and confirm that encryption has taken place. There are a couple of people in McAfee who I can ask about this.
I'll try within McAfee. If I can't get to the right person then your best bet might be to go to Dr.Web or F-Secure : I'm trying to find out if Dr.Web's "Trojan.Encoder.94" and BitDefender's "Trojan.Ransom.HM" are the same variant as the WYP one. I think not, since spamfighter.com is talking about a file suffix of ".EnCiPhErEd".
Dr.Web will analyse and fix infected systems on an individual basis. They do not advise running their decryption tool without knowing which parameter should be passed to it. At the moment they're doing this for free (good publicity, I suppose) but if the number of requests increases they may well decide to charge for the service.
I'll get back as soon as I can.