unRansom..Me!

18 comments so far

A P on Jul 17 20:55, 2007

Hello Sir:

I too got infected with the "Glamorous" ransom virus a couple of days back. It destroyed all data on my E: and external hard disk leaving the data on C: and D: unaffected. I formatted my system yesterday and now have protected myself with several anti-spyware tools. I have also taken backup of all encrypted files on DVDs.

And today, I tried to run the GUI version of "unransomme.exe" posted on 16th July. However, the results were not satisfactory. The log file though reported that the "thumbnails" and infected files were decrypted, but the information was misleading. I think I am one of those 256 cases where the personal code is incorrect. So far, I have tried to recover only *.doc files and failed. Soon I shall check for recovering *.txt and *.jpg files with your software and let you know. Please help me with getting back my data.

Thanks again for your helpful posts.

A P

A P on Jul 17 21:11, 2007

Hi,

My system has multiple "personal codes" on different drives/ partitions, which gives me the impression that the "Glamorous" ransom virus ran its encryption multiple times. I had taken backup of all the infected files and folders from all drives on separate storage disk before formatting your system. I checked with your "unransomme.exe" and found my *.doc files still encrypted. I would still try your software with folders containing *.jpg and *.xls files.

Would it be possible to make a GUI version of your software where one may select a single drive/folder and decrypt using a specific "personal code" that was left in the "read_me.txt" message in that particular folder?

Thanks

AP

Bill Revett on Jul 17 22:00, 2007

I was so excited with your decryption tool mentioned in the 7/16 blog that I didn't even check my files after your tool decrypted 728 pages, assuming it worked. After further review, my photos were not decrypted and the Word documents only show the encryption format. I tried downloading your CMD line version (to use my personal code), but it would not download. Any suggestions?

Jacques Erasmus on Jul 17 22:04, 2007

Hi,

This makes sense ... You can use our command line version to do exactly that.

Thanks for sheding some light on this - we assumed that this might be the case.

// Jacques

Jacques Erasmus on Jul 17 22:07, 2007

Hi,

Try right clicking and using the save as function. Otherwise i can email it if you still need it.

A P on Jul 18 6:11, 2007

Hello Jacques:

Thank you! Thank you! Thank you! Finally it worked.

In my previous posts I had claimed that your "unransomme.exe" was ineffective. Actually, it was a part of my own mistake. As my system was infected multiple times with the trojan on different drives, so there were more than one "personal codes" in the folders. Initially, I had used the GUI version of your tool and probably it detected the first "personal code" from a "Read_me.txt" file and tried to decrypt all the files on the system. As a result, files that needed a particular "personal code" were not successfully decrypted.

Tonight, I took a thorough look at each folder and the messages and succeeded in retrieving the original files. The command-line version of your tool (deglamour.exe) proved immensely helpful in restoring each folder separately.

I am really so much happy to get back all my files. I wish I had not panicked at the onset of detecting viral attack and formatted my system, and also deleted many files that then I thought were impossible to cure. Anyways, I am still glad with whatever I have been able to restore now. I haven't sufficient words to praise your team and the devotion you have put into. Keep up the good work!!!

One request. Could you please also write us a small code that may remove all the "read_me.txt", "Read_Me.txt" or "Read_me.txt" files from all folders because those files are taking up plenty of space?

Many thanks once again!!!

Cheers

A P

Austin on Jul 18 18:53, 2007

How does this trojan propagate? I understand it required some user to visit a particular website, but it appears that it then propagated to other devices on that user's network. Is this the case, or is it limited to users who visit the website(s) with the malware? Would network behavior analysis tools detect this if it spreads on a corporate network?

Jacques Erasmus on Jul 19 1:46, 2007

Hi Austin,

Good question, In this case its not a worm, so it requires user interaction to spread. In most cases network devices will be able to stop the spread of such things these days. The problem with this trojan is more a "data leak" problem. Data sent to the controlling server was via HTTP, and in many cases will not cause suspision if you have 70,000 nodes on your network. The ease of which it monitors session data and steals passwords is rather alarming.

// Jacques

dan on Jul 19 3:21, 2007

Please help. I ran the user friendly version earlier today without success. I just tried the CMD but it will not download/run. Any additional suggestions for me? Thanks for your help.

Mike on Jul 19 5:52, 2007

I saved the files (minus the readme.txt) files to a DVD and then reformatted. If I'm understanding correctly, even though I have the files, because of the reformat there is no way to decrypt because the code was left in the registry?

Jacques Erasmus on Jul 19 10:38, 2007

If you have your "personal code" found in the read_me.txt file, it is possible to decrypt it using the command line tool. Otherwise it might be possible to bruteforce a key, but this takes alot of time.

// Jacques

Jacques Erasmus on Jul 19 14:42, 2007

Try right click and save as on the link for the command line version, it should work.

Rick on Jul 19 21:02, 2007

I've try to use this tool both GUI & cmdln but none will work. What is meant by" Enter the user code exactly as it appears in read_me.txt, in decimal form, with all negative symbols intact." Does that mean to include or exclude the decimal point at the end. Also what neg symbols? When I tried this all the data is still crap even though it reports all decrypted.

Jacques Erasmus on Jul 20 10:47, 2007

Hi, enter the personal code without the '.' at the end.

For instance: -123456789

Or 123456789

Ryan Moore on Jul 23 21:02, 2007

I took me several tries to get the inline version to work, but once I figured out how to set the user code correctly it worked like a charm. I could not be happier. I was able to unencrypt my financial system. My only problem is that I put a - in front of my code (it appeared required in the instructions) and incorrectly unencrypted a set of directories. Is there any way to fix that?

Mike G. on Jul 24 6:23, 2007

I must too much of a newbie with this kind of stuff. Even though I get the help line using the cmd line, I still can't get the program to run. Does it need to be running in the same directory that the encrypted files are located? Do I use a wild card after putting the directory name or do I decrypt a file at a time.?

If I use Unransom.exe how do I use it if I run it from my desktop to decrypt files. T

The virus is gone but the decrypted files remain and that's what I'm trying to fix. Thanks for your help.

Jacques Erasmus on Jul 26 10:35, 2007

Do you have a backup of the files? If you unencrypt using the wrong code, it will be very hard to recover the files.

stusialic on Dec 9 12:34, 2008

In most cases a product's rating went down, expanding the range between highest and lowest rated.Unlike Kaspersky, Symantec provides Norton users with little explanation of its features or settings, either in the configuration settings or on its technical support section. Also we don't like Norton's dependency on Internet Explorer to explain Help items or services provided by Symantec (windows pop up in IE even when Firefox is your default browser), or that fee-based services have once again crept into the technical support section. Having improved a lot

last year in Symantec's flagship antivirus product, it makes sense we'd see more modest enhancements for this year's Norton AntiVirus 2008. While Norton

AntiVirus.