Archive for category IT

New Encryption Virus: Ransomware : CryptoWall v 4.0

WARNING: New very dangerous virus that can cripple your business
 Summary of things to do:


  • Don’t open attachments in emails you are not expecting (at work and home)
  • Pass this warning on to others, teach them the same practices you follow.
  • Do not visit websites you do not know or trust
  • Do not trust Word (Doc), Adobe (PDF) and other email attachment files
  • Do not forward unusual emails onto other staff members
  • Do not ignore weird popups or things that are running slow or behaving a little “strange”
  • If you start finding files on your system come up as “Corrupt” call your IT!
  • If you start seeing files on your own machine, that are having their names changed or can no longer be opened, unplug your machine from the network immediately and call your IT
  • Make sure you have a backup that is removed from your network daily. It must be powered down and not plugged in. (Dropbox, SkyDrive and the like do not count)
  • Ask your IT to block .JS, .CHM, .EXE and other known attack files from coming in via email (if you have this feature available).


A new Ransomware dubbed “CryptoWall 4.0” has been found.
This new virus circumnavigates current antivirus and has new Features such as Encrypted File Names.
CryptoWall continues to use the same e-mail and website distribution methods as previous version.  The samples we analysed were pretending to be a resume inside a zipped e-mail attachments.
These resumes, though, were actually JavaScript (.JS)  files that when executed would download an executable, save it to a temporary folder, and the execute it.

CryptoWall 4.0 continues to utilize the same Decrypt Service site as previous versions.  From this site a victim can make payments, find out the status of a payment, get one free decryption, and create support requests.

We have passed along a sample of this virus to Antivirus companies and they are working towards a solution.

This virus first reported on the Bleeping computer forums
For those that want more technical detail:
When installed CryptoWall 4.0 will inject itself into Explorer.exe and disable System Restore, delete all Shadow Volume Copies, and use bcdedit to turn off Windows Startup Repair.
It will then inject itself into svchost.exe and encrypt the data on all local drives, removable drives, and mapped network drives.
Once it has completed encrypting your files it will launch the ransom notes that explain what happened and how to purchase the decrypter.

 The more people you pass this blog to, the more you can help stamp out these types of threats. Reducing the likelihood of this virus being triggered, reduces the virus writers payday.


550 “Sender address is invalid [route]:”

A quick look on the internet shows an increasing amount of people reporting an error 550 “Sender address is invalid [route]:”  with bouncing emails. This is new as of August 2015. No one knows what the error means.

It seems for Aussie clients with this recent issue, the likely fault is with TPP Wholesale whom upgraded security/mail filtering on their network and they are now aware of the issue and are working to resolve for multiple clients.

They have old webmail service lines / interbnal routes existing in Webcentral accounts which is creating conflicts.

Webcentral, MelourneIT, TPP etc are all now the same company.

If you need this resolved, contact TPP.

Tags: ,

Is the new right hand pane in Adobe Reader DC, messing with your workflow ?

The new Adobe Reader DC looks nice but then when you go to use it, you have less work space. So how do you remove the right hand pane (This contains export pdf, create pdf, edit pdf, etc.) on Reader DC? (It takes up a quarter of the screen and many people don’t even use the tools.)

To remove it temporarily, you can either click the Right Hand Panel bar or you can use the keys Control+H to go into “Read Mode”. Note that “Read Mode” just displays the document and no panels. Also note that “Read Mode” does not stay between documents or sessions either. Opening another document brings the right hand pane back.

If you are an avid reader of PDF’s and do not need the tools, here is a permanent solution.

Open the install directory,
i.e.” C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU” or ” C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU

Create a new subfolder (I used “Disabled”). Move 3 files from the “ENU” folder into the new “Disabled” folder. (Exit Adobe reader first).

Move  –

  • AppCenter_R.aapp
  • Home.aapp
  • Viewer.aapp.

Open a PDF and the Tool Pane is gone. It does also disable some menu items so if you want to still use the tools, read on.

Backup the file called Viewer.aapp. Edit the file with notepad (the file is XML abd located in “Adobe/Acrobat Reader DC/Reader/AcroApp/ENU/Viewer.aapp”)

The file contains a few lines however, edit it so that the following line is the only remaining line.

<Application xmlns=”″ title=”Viewer” id=”Viewer” majorVersion=”1″ requiresDoc=”true” minorVersion=”0″/>

Now open Adobe DC and the tools pane is gone but the menu items still work.

Life can get back to some normallity.

Tags: , ,

Cryptowall 3.0

I have had a brush with Cryptowall 3.0.

Imagine this, visiting a website in your latest favourite browser (Any browser, Google Chrome, IE, Firefox, anyone of them) with a PC which has the latest version of everything (Adobe Flash, Java etc.) and up to date current antivirus, but you get hacked within 5 seconds.

No popups, no request to “allow this to download”, “allow this to run”. It just downloads and runs. You don’t feel it. The machine runs normal. (Even bypassed Microsoft UAC)

Then …  28 PC’s on your network, your Dropbox, your server, your NAS backup drives, your interstate user that is using VPN from a university interstate … are all encrypted and held for ransom.

The website you visited was a trusted website you trust implicitly and you buy goods from it. You had no reason to doubt the website. Nothing pops up strange …. until the damage is done.

You call the Company whom the website belongs to, they know nothing about it and pass you to their web developers. The web developers know nothing of this issue. They look further. All of their clients websites on their servers have been hacked. They take the servers offline.

Potentially thousands of people from around where you live use this service, surfing local websites for local businesses all now being held to ransom.

It could happen to anyone. It could happen to you or me.

It sounds like the work of fiction. Maybe an episode of CSI or NCIS ? Nope. That is what happened.

So how did this website attack this person?

We found a back door in the WordPress code that ran the webskite, over the internet to Russia. This back door was used to gain access to the website and then the code was modified to plant the malware onto visiting remote machines.

When figuring out how the website initially got hacked, I learnt that there are specific strings you can type into Google search.

This key search word shows you a list of every website where a certain file is accessible. The file likely used to allow this hack.

A hacker can click on this file and download it to their end. They open the file in something like notepad …. There is the username and password to the website in a “Hash”. They crack the “Hash” and log into the website, edit the code to include the nasty back door to Russia.

So, using Google … and notepad … and a website for the back door to point to, you can hack a large number of websites, inject this code, then let people browse the website and get infected without any indication on how they got infected.

The file size of the website changes very little and you can reset the file date back to an older date. The webmaster does not know they are infecting people and it goes on for several days. All their backups are now full of the malware.

Then the hacker sits back and earns millions of dollars a day in ransom money.

It scares me that malicious code can be put on your PC and run, and you have no idea. It scares me that you can perform the original hack of the website using Google.

So, trying the Google trick myself, I found the passwords to a hospital website and their member logon database.

Very scary. (I will let the hospital know).

We found the original malicious code and set it up on our Malware testing machine.

We setup wireshark to monitor what it does and Sysinternals Process Monitor. We disconnected the internet and ran the virus. Nothing happened. Double clicking made the mouse change cursor but then nothing.

After watching for a while, We connected the internet. Now the virus wakes up. It needed the internet to activate.

We double click the file and it deletes itself. It appears in C:\XXXXX where xxxxxx is the random name of the EXE file. Then it copies itself into the users startup section of their profile start menu. It then looks out over the internet at numerous internet domains, hands over a Cypher (Encryption key) and starts encrypting files.

I had placed some bait in a folder called C:\$fodder. (Some Microsoft Word and Excel files). This virus went alphabetically though my drive letters and folders and encryopted all my useful files leaving behind help_decrypt.html and help_decrypt.txt files in every folder, on the desktop, in my profile startup start menu folder and the deleted the virus executable when done.

I am encrypted and held for ransom :)

Technical details are at http://torblogjp5rjeyhx.onion/mickyj/cryptowall-3-0/

(Yes, it is on Tor. Only advanced computer users will know what to do to get to Tor and on the Tor network, I can post more details).

Tags: ,

There is a new virus and I found it ….. TROJ_CRYPWALL.XXRS

I am as proud as can be. I found an unknown virus and my company was instrumental in it being included in new detection routines as of 23rd June 2015. I am proud to be helping keep the IT world safe, a world I work in everyday and have helped create.

The virus is not named after me but it is my claim to 5 seconds of fame. Now …. to put it into extinction. It has to go. It is a Crypto and dangerous.

I saw several of these viruses arrive in my inbox, with different subjects and senders names. The one common thread was a malformed attachment. Example name “check[1].zip size=16877”

(Contains 6d5770fd.exe(221184 bytes))

If you rename the attachment to a zip file, you can see the exe payload.

An example email:

From: bmack
Sent: Wednesday, 23 June 2015 12:28 AM
To: Michael
Subject: Hope this e-mail finds You well.

Good day!
Hope this e-mail finds You well.

Please be informed that we received the documents regarding the agreement No. 6489-245 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 495-70-75. Feel free to give a call at any time.

Stacey Grimly,
Project Manager

If you see one of these, update your Antivirus. Delete the email. Don’t play with it.

Now, if you find something odd and your antivirus does not detect it, feel welcome to contact me. I will get it to Trend Micro whom will pull it apart. Once they have worked out how to detect and remove it, they share their info with other Antivirus companies. In the end of the day, everyone of these we knock out, get’s us one step closer to holding back the tide of these things.

Tags: , , ,

Be careful with Telstra Business Bundle plans (e.g. the DOT plan)

We have found that we unable to install SonicWALL firewalls or substitute modems using the Telstra Broadband plan known as DOT.
(Refer the plans (Digital Office technology – DOT) and clients are a broadband client.)

Telstra provided a Cisco SPA504G VOIP handset, Netgear DEVG2020 (ADSL modem, router, PSTN, Wireless etc.) with most of the settings blocked from view. (Customised firmware).

The client does not need the Cisco handset but needs a SonicWALL to SonicWALL VPN setup. I could add a Bridge in place of the DEVG2020 and get line sync (13mbit/1mbit) and I could set LLC PVC 8/35 and PPPOE on the SonicWALL but not raise the PPOE connection.

Basically Telstra have admitted (after 3 months and after many phone conversations) that whilst the connection is PPPOE and should work, it would not work with any other router or modem as it is bound to their provided Telstra hardware to make the Cisco phone handset work.

I asked them if we could revert the account back to normal DSL and remove the Cisco handset and they said changing the plan amounted to breaking the 24 month contract.

So, if you want normal DSL or to use your own equipment, don’t get this plan.

Tags: , ,

Featuring WPMU Bloglist Widget by YD WordPress Developer