Threat Description

MayArchive.B

Details

Aliases: MayArchive.B, Trojan.Archiveus, Trojan.Win32.MayArchive.b, Archiveus
Category: Malware
Type: Trojan
Platform: W32

Summary



The MayArchive.B trojan is a so-called "ransomware". It copies the contents of files with certain extensions to its own archive named ArchivedFiles.als, deletes the original files and then asks for a ransom to restore them.



Removal



Please note that disinfection of this trojan has to be done AFTER it restores your files. Otherwise you will not be able to restore your files that the trojan put into its EncryptedFiles.als archive. So if you have been infected with this trojan, and it has created the Demo.als and EncryptedFiles.als files on your hard drive, then please follow the below given instructions:

  • Open Windows Explorer and locate EncryptedFiles.als
  • Doubleclick on the EncryptedFiles.als file
  • Click OK in the messagebox that has the 'Read INSTRUCTIONS to get your files back' text
  • In the new window click the Extract button
  • In the password prompt window input this password exactly as shown: AssociateFileExtension
  • Press Enter
  • Wait until the trojan extracts all of the files and then close the application window

The trojan should restore files to your\My Documents\ folder. Please verify that your files have been restored. You can then proceed to disinfection. Disinfection of this trojan requires deletion of the trojan's file from you hard drive. You can do it manually or you can follow:

these instructions

F-Secure Anti-Virus should delete or rename the trojan's file after it finds the infection.

Please note that due to bugs in the trojan's code some of your files may become corrupted.



Technical Details



The trojan's file is a Visual Basic application that is not packed in any way. After the trojan's file is run, it scans the local hard drive(s) for files with the following extensions:

  • arh
  • asm
  • arj
  • bas
  • db
  • db1
  • db2
  • dbf
  • dbt
  • dbx
  • doc
  • dpr
  • dsw
  • frm
  • frt
  • frx
  • gtd
  • gz
  • gzip
  • jpg
  • key
  • kwm
  • lst
  • man
  • mdb
  • mmf
  • mo
  • old
  • p12
  • pas
  • pak
  • pdf
  • pgp
  • pl
  • pwl
  • pwm
  • rar
  • rtf
  • safe
  • tar
  • txt
  • xls
  • xml
  • zip

If a file with one of those extensions is found, the trojan copies its contents to its own archive named EncryptedFiles.als and then deletes the original file. The files stored in that archive are not encrypted, so they can be restored manually. However this will require professional help. In order to use the trojan to restore your files please read the Disinfection section (see above) of this description.

The trojan contains instructions to a user on how to get the password and to restore user's files. These instructions are copied into the file named Instructions how to get your files back.txt that is located in user's \My Documents\ folder. Here's how these instructions look like:

  • INSTRUCTIONS HOW TO GET YOUR FILES BACKREAD CAREFULLY

This is automated report generated by auto archiving software.

All your documents, text files and databases was archived with the long password.

You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).

Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. System backup will not help you to restore files. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information.

WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you. You can even EARN extra money with us. If you really care about the documents and information in encrypted files, you should send an email to restoring@safe-mail.net or restoringfiles@yahoo.com This is your only way to get your files back and save your time.

We do not want to do you any harm, we do not ask you for money, we only want to do business with you.

  • ##########################################################################Remember you are just one step away from your files##########################################################################

The trojan creates an extension association in the Registry for the .ALS files. The association entry points to the trojan's executable file. So when a user clicks on the ALS file, the trojan starts and shows this text first:

Read INSTRUCTIONS to get your files back


The trojan then shows the contents of the ALS archive. After the user clicks the Extract button, it shows a password prompt. See the image below:

The password for the files, stored by the trojan in the EncryptedFiles.als archive is AssociateFileExtension.

The trojan also creates a file named Demo.als to prove that it can restore the user's files. The trojan is quite buggy however, so some files may become corrupted after the trojan restores them.





Description Created: Alexey Podrezov, May 11, 2006
Technical Details: Alexey Podrezov, May 11, 2006
Description Last Modified: Alexey Podrezov, May 17, 2006


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More