Over this past weekend, Symantec received news of a new twist in the behavior of Trojan.Vundo. Instead of simply pushing misleading applications and other threats onto the infected computers, it seems the authors of Vundo have taken a more direct hand in revenue generation. Rather than just frightening you into believing that you may have problems or threats present on your computer, Vundo now drops a file named fpfstb.dll that attempts to make sure that you do encounter problems on your computer. We currently detect this threat as Trojan.Xrupter. This Trojan performs a search in the My Documents folders of your hard drive for files with the following extensions:
You may have noticed that the file types listed above are data file extensions. On many systems, the data belonging to the user is often the most important and valuable content kept on the computer. These files could represents somebody’s final draft of a thesis for submission to a deadline, a presentation to be given in a few hours time, a database of your customers, your entire music collection or even pictures representing happy memories of past events with your family and friends. This Trojan specifically targets these files for encryption because the creators knows these are the files that you are most likely to want back if the computer was ever compromised.
Once the files are encrypted, it starts to display messages stating that certain files on the computer are corrupted. If the user attempts to open any of the encrypted files, a message will also appear saying that the file is corrupt. In both windows, a repair option is available.
If the user clicks on repair, a browser window will open to the domain filefixpro.com (now offline). This site offers a program named FileFix Professional (detected as FileFixProfessional), which is supposed to repair the corrupted files. Of course, FileFixPro is not a free application, so you are expected to pay in order to license it for use. FileFix Professional is obviously not what it is cracked up to be—it is, in fact, just another part of this whole scam—it only decrypts the files that its partner in crime (Trojan.Xrupter) has encrypted.
The fortunate thing about this whole episode is that the makers of this scam have implemented a very weak algorithm for encryption of the files. Because of this, Symantec and various other security vendors such as FireEye have been able to decrypt the files affected by this Trojan. In fact, we are offering a tool that can be used to clean up this Trojan and recover encrypted files and before you ask, the answer is no. No, we will not be asking you to part with your hard earned cash to use this tool. (That’s probably the best offer I’ve seen for some time!) If you need this fix tool, you can download it here.