Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Archiveus.A is a Trojan that packs user's documents and only restores them if a password is provided. The author would make the password available in exchange for a purchase in an online pharmacy. The files are in fact not encrypted, but only joined in a single file with rather simple structure. The program is written in Visual Basic.

 

When the program is executed, it packs all files in “My Documents” folder into a single file called “encryptedfiles.als”. A smaller archive called “demo.als” is also created. All the original files from the “My Documents” folder are deleted. A file called “INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt” is dropped in the same folder. It contains the following text:

 

This is the automated report generated by auto archiving software.

 

Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password.

 

You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).

 

Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information.

 

WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you. You can even EARN extra money with us. If you really care about the documents and information in encrypted file, you should follow the instructions below.

 

This is your only way to get your files back and save your time.

------------------------------

How to get your information back.

 

1. Follow any link below

 

http://******************.****/?833F866fe62adAd883cc38bcd6b0Tdaa

http://******************.****/?82Fdf3abfb7Abc9385ed1c26afT6bb6e

http://*********************.****/?12aba12eF79ef8A4bf7f9bd49Tfc6690

 

and enter our online pharmacy. Our online pharmacy is the world leader in FDA approved medications.

 

2. Choose any product you like and buy it.

 

3. Send an email with your order id to our email address restoring@****-****.*** or restoringfiles@*****.***

 

Win32/Archiveus.A is a Trojan that packs user's documents and only restores them if a password is provided. The author would make the password available in exchange for a purchase in an online pharmacy. The files are in fact not encrypted, but only joined in a single file with rather simple structure. The program is written in Visual Basic.

 

When the program is executed, it packs all files in "My Documents" folder into a single file called "encryptedfiles.als". A smaller archive called "demo.als" is also created. All the original files from the "My Documents" folder are deleted. A file called "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt" is dropped in the same folder. It contains the following text:

 

This is the automated report generated by auto archiving software.

 

Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password.

 

You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).

 

Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information.

 

WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you. You can even EARN extra money with us. If you really care about the documents and information in encrypted file, you should follow the instructions below.

 

This is your only way to get your files back and save your time.

------------------------------

How to get your information back.

 

1. Follow any link below

 

http://******************.****/?833F866fe62adAd883cc38bcd6b0Tdaa

http://******************.****/?82Fdf3abfb7Abc9385ed1c26afT6bb6e

http://*********************.****/?12aba12eF79ef8A4bf7f9bd49Tfc6690

 

and enter our online pharmacy. Our online pharmacy is the world leader in FDA approved medications.

 

2. Choose any product you like and buy it.

 

3. Send an email with your order id to our email address restoring@****-****.*** or restoringfiles@*****.***

 

The password will be sent to your email address as soon as we verify your order id (usually 3-4 hours or shorter) and you will get your information in encrypted file back. All the emails with invalid order ids will be ignored.

------------------------------

We do not ask you for any money! We guarantee that you will receive the product you buy! You can use it by yourself or even sell and earn extra money because all the products in our online pharmacy are discounted!

 

We guarantee that you will receive the password for encrypted file as soon as you buy any product in our online pharmacy.

 

We guarantee that you will be able to restore all the encrypted information and we can prove it. Doubleclick on the file Demo.als and enter the following password:

 

kw9fjwfielaifuw1u3fw3brue2180w3hfse2

 

The encrypted information will be restored in several seconds. The file EncryptedFiles.als is encrypted with another password which you will receive in the email from us.

default = path to Win32/Archiveus.A executable

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ALS\shell\open\command\

default = path to Win32/Archiveus.A executable

 

The registry values point to the original location where the program was executed from. The Trojan doesn't copy its executable in any fixed place in the system.

 

When an .ALS file is double-clicked, it is opened by Win32/Archiveus.A. A window pops up and the user may choose to unpack the .ALS archive. A password prompt appears. If the password is correct, the archive is unpacked. The original folder structure is ignored; all files end up in the "My Documents" folder.

 

The password that works for all archives is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". The demo password is "kw9fjwfielaifuw1u3fw3brue2180w3hfse2", it only works for archives with a single file inside.

default = path to Win32/Archiveus.A executable

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ALS\shell\open\command\

default = path to Win32/Archiveus.A executable

 

The registry values point to the original location where the program was executed from. The Trojan doesn't copy its executable in any fixed place in the system.

 

When an .ALS file is double-clicked, it is opened by Win32/Archiveus.A. A window pops up and the user may choose to unpack the .ALS archive. A password prompt appears. If the password is correct, the archive is unpacked. The original folder structure is ignored; all files end up in the "My Documents" folder.

 

The password that works for all archives is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". The demo password is "kw9fjwfielaifuw1u3fw3brue2180w3hfse2", it only works for archives with a single file inside.

Win32/Archiveus.A is a Trojan that packs user's documents and only restores them if a password is provided. The author would make the password available in exchange for a purchase in an online pharmacy. The files are in fact not encrypted, but only joined in a single file with rather simple structure. The program is written in Visual Basic.

 

When the program is executed, it packs all files in "My Documents" folder into a single file called "encryptedfiles.als". A smaller archive called "demo.als" is also created. All the original files from the "My Documents" folder are deleted. A file called "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt" is dropped in the same folder. It contains the following text:

 

This is the automated report generated by auto archiving software.

 

Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password.

 

You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).

 

Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information.

 

WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you. You can even EARN extra money with us. If you really care about the documents and information in encrypted file, you should follow the instructions below.

 

This is your only way to get your files back and save your time.

------------------------------

How to get your information back.

 

1. Follow any link below

 

http://******************.****/?833F866fe62adAd883cc38bcd6b0Tdaa

http://******************.****/?82Fdf3abfb7Abc9385ed1c26afT6bb6e

http://*********************.****/?12aba12eF79ef8A4bf7f9bd49Tfc6690

 

and enter our online pharmacy. Our online pharmacy is the world leader in FDA approved medications.

 

2. Choose any product you like and buy it.

 

3. Send an email with your order id to our email address restoring@****-****.*** or restoringfiles@*****.***

 

The password will be sent to your email address as soon as we verify your order id (usually 3-4 hours or shorter) and you will get your information in encrypted file back. All the emails with invalid order ids will be ignored.

------------------------------

We do not ask you for any money! We guarantee that you will receive the product you buy! You can use it by yourself or even sell and earn extra money because all the products in our online pharmacy are discounted!

 

We guarantee that you will receive the password for encrypted file as soon as you buy any product in our online pharmacy.

 

We guarantee that you will be able to restore all the encrypted information and we can prove it. Doubleclick on the file Demo.als and enter the following password:

 

kw9fjwfielaifuw1u3fw3brue2180w3hfse2

 

The encrypted information will be restored in several seconds. The file EncryptedFiles.als is encrypted with another password which you will receive in the email from us.

default = path to Win32/Archiveus.A executable

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ALS\shell\open\command\

default = path to Win32/Archiveus.A executable

 

The registry values point to the original location where the program was executed from. The Trojan doesn't copy its executable in any fixed place in the system.

 

When an .ALS file is double-clicked, it is opened by Win32/Archiveus.A. A window pops up and the user may choose to unpack the .ALS archive. A password prompt appears. If the password is correct, the archive is unpacked. The original folder structure is ignored; all files end up in the "My Documents" folder.

 

The password that works for all archives is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". The demo password is "kw9fjwfielaifuw1u3fw3brue2180w3hfse2", it only works for archives with a single file inside.

default = path to Win32/Archiveus.A executable

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ALS\shell\open\command\

default = path to Win32/Archiveus.A executable

 

The registry values point to the original location where the program was executed from. The Trojan doesn't copy its executable in any fixed place in the system.

 

When an .ALS file is double-clicked, it is opened by Win32/Archiveus.A. A window pops up and the user may choose to unpack the .ALS archive. A password prompt appears. If the password is correct, the archive is unpacked. The original folder structure is ignored; all files end up in the "My Documents" folder.

 

The password that works for all archives is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". The demo password is "kw9fjwfielaifuw1u3fw3brue2180w3hfse2", it only works for archives with a single file inside.

Win32/Archiveus.A is a Trojan that packs user's documents and only restores them if a password is provided. The author would make the password available in exchange for a purchase in an online pharmacy. The files are in fact not encrypted, but only joined in a single file with rather simple structure. The program is written in Visual Basic.

 

When the program is executed, it packs all files in "My Documents" folder into a single file called "encryptedfiles.als". A smaller archive called "demo.als" is also created. All the original files from the "My Documents" folder are deleted. A file called "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt" is dropped in the same folder. It contains the following text:

 

This is the automated report generated by auto archiving software.

 

Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password.

 

You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).

 

Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information.

 

WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you. You can even EARN extra money with us. If you really care about the documents and information in encrypted file, you should follow the instructions below.

 

This is your only way to get your files back and save your time.

------------------------------

How to get your information back.

 

1. Follow any link below

 

http://******************.****/?833F866fe62adAd883cc38bcd6b0Tdaa

http://******************.****/?82Fdf3abfb7Abc9385ed1c26afT6bb6e

http://*********************.****/?12aba12eF79ef8A4bf7f9bd49Tfc6690

 

and enter our online pharmacy. Our online pharmacy is the world leader in FDA approved medications.

 

2. Choose any product you like and buy it.

 

3. Send an email with your order id to our email address restoring@****-****.*** or restoringfiles@*****.***

 

Win32/Archiveus.A is a Trojan that packs user's documents and only restores them if a password is provided. The author would make the password available in exchange for a purchase in an online pharmacy. The files are in fact not encrypted, but only joined in a single file with rather simple structure. The program is written in Visual Basic.

 

When the program is executed, it packs all files in "My Documents" folder into a single file called "encryptedfiles.als". A smaller archive called "demo.als" is also created. All the original files from the "My Documents" folder are deleted. A file called "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt" is dropped in the same folder. It contains the following text:

 

This is the automated report generated by auto archiving software.

 

Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password.

 

You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).

 

Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information.

 

WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you. You can even EARN extra money with us. If you really care about the documents and information in encrypted file, you should follow the instructions below.

 

This is your only way to get your files back and save your time.

------------------------------

How to get your information back.

 

1. Follow any link below

 

http://******************.****/?833F866fe62adAd883cc38bcd6b0Tdaa

http://******************.****/?82Fdf3abfb7Abc9385ed1c26afT6bb6e

http://*********************.****/?12aba12eF79ef8A4bf7f9bd49Tfc6690

 

and enter our online pharmacy. Our online pharmacy is the world leader in FDA approved medications.

 

2. Choose any product you like and buy it.

 

3. Send an email with your order id to our email address restoring@****-****.*** or restoringfiles@*****.***

 

The password will be sent to your email address as soon as we verify your order id (usually 3-4 hours or shorter) and you will get your information in encrypted file back. All the emails with invalid order ids will be ignored.

------------------------------

We do not ask you for any money! We guarantee that you will receive the product you buy! You can use it by yourself or even sell and earn extra money because all the products in our online pharmacy are discounted!

 

We guarantee that you will receive the password for encrypted file as soon as you buy any product in our online pharmacy.

 

We guarantee that you will be able to restore all the encrypted information and we can prove it. Doubleclick on the file Demo.als and enter the following password:

 

kw9fjwfielaifuw1u3fw3brue2180w3hfse2

 

The encrypted information will be restored in several seconds. The file EncryptedFiles.als is encrypted with another password which you will receive in the email from us.

default = path to Win32/Archiveus.A executable

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ALS\shell\open\command\

default = path to Win32/Archiveus.A executable

 

The registry values point to the original location where the program was executed from. The Trojan doesn't copy its executable in any fixed place in the system.

 

When an .ALS file is double-clicked, it is opened by Win32/Archiveus.A. A window pops up and the user may choose to unpack the .ALS archive. A password prompt appears. If the password is correct, the archive is unpacked. The original folder structure is ignored; all files end up in the "My Documents" folder.

 

The password that works for all archives is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". The demo password is "kw9fjwfielaifuw1u3fw3brue2180w3hfse2", it only works for archives with a single file inside.

default = path to Win32/Archiveus.A executable

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ALS\shell\open\command\

default = path to Win32/Archiveus.A executable

 

The registry values point to the original location where the program was executed from. The Trojan doesn't copy its executable in any fixed place in the system.

 

When an .ALS file is double-clicked, it is opened by Win32/Archiveus.A. A window pops up and the user may choose to unpack the .ALS archive. A password prompt appears. If the password is correct, the archive is unpacked. The original folder structure is ignored; all files end up in the "My Documents" folder.

 

The password that works for all archives is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". The demo password is "kw9fjwfielaifuw1u3fw3brue2180w3hfse2", it only works for archives with a single file inside.

Win32/Archiveus.A is a Trojan that packs user's documents and only restores them if a password is provided. The author would make the password available in exchange for a purchase in an online pharmacy. The files are in fact not encrypted, but only joined in a single file with rather simple structure. The program is written in Visual Basic.

 

When the program is executed, it packs all files in "My Documents" folder into a single file called "encryptedfiles.als". A smaller archive called "demo.als" is also created. All the original files from the "My Documents" folder are deleted. A file called "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt" is dropped in the same folder. It contains the following text:

 

This is the automated report generated by auto archiving software.

 

Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password.

 

You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).

 

Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information.

 

WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you. You can even EARN extra money with us. If you really care about the documents and information in encrypted file, you should follow the instructions below.

 

This is your only way to get your files back and save your time.

------------------------------

How to get your information back.

 

1. Follow any link below

 

http://******************.****/?833F866fe62adAd883cc38bcd6b0Tdaa

http://******************.****/?82Fdf3abfb7Abc9385ed1c26afT6bb6e

http://*********************.****/?12aba12eF79ef8A4bf7f9bd49Tfc6690

 

and enter our online pharmacy. Our online pharmacy is the world leader in FDA approved medications.

 

2. Choose any product you like and buy it.

 

3. Send an email with your order id to our email address restoring@****-****.*** or restoringfiles@*****.***

 

The password will be sent to your email address as soon as we verify your order id (usually 3-4 hours or shorter) and you will get your information in encrypted file back. All the emails with invalid order ids will be ignored.

------------------------------

We do not ask you for any money! We guarantee that you will receive the product you buy! You can use it by yourself or even sell and earn extra money because all the products in our online pharmacy are discounted!

 

We guarantee that you will receive the password for encrypted file as soon as you buy any product in our online pharmacy.

 

We guarantee that you will be able to restore all the encrypted information and we can prove it. Doubleclick on the file Demo.als and enter the following password:

 

kw9fjwfielaifuw1u3fw3brue2180w3hfse2

 

The encrypted information will be restored in several seconds. The file EncryptedFiles.als is encrypted with another password which you will receive in the email from us.

default = path to Win32/Archiveus.A executable

Win32/Archiveus.A is a Trojan that packs user's documents and only restores them if a password is provided. The author would make the password available in exchange for a purchase in an online pharmacy. The files are in fact not encrypted, but only joined in a single file with rather simple structure. The program is written in Visual Basic.

 

When the program is executed, it packs all files in "My Documents" folder into a single file called "encryptedfiles.als". A smaller archive called "demo.als" is also created. All the original files from the "My Documents" folder are deleted. A file called "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt" is dropped in the same folder. It contains the following text:

 

This is the automated report generated by auto archiving software.

 

Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password.

 

You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).

 

Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information.

 

WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you. You can even EARN extra money with us. If you really care about the documents and information in encrypted file, you should follow the instructions below.

 

This is your only way to get your files back and save your time.

------------------------------

How to get your information back.

 

1. Follow any link below

 

http://******************.****/?833F866fe62adAd883cc38bcd6b0Tdaa

http://******************.****/?82Fdf3abfb7Abc9385ed1c26afT6bb6e

http://*********************.****/?12aba12eF79ef8A4bf7f9bd49Tfc6690

 

and enter our online pharmacy. Our online pharmacy is the world leader in FDA approved medications.

 

2. Choose any product you like and buy it.

 

3. Send an email with your order id to our email address restoring@****-****.*** or restoringfiles@*****.***

 

Win32/Archiveus.A is a Trojan that packs user's documents and only restores them if a password is provided. The author would make the password available in exchange for a purchase in an online pharmacy. The files are in fact not encrypted, but only joined in a single file with rather simple structure. The program is written in Visual Basic.

 

When the program is executed, it packs all files in "My Documents" folder into a single file called "encryptedfiles.als". A smaller archive called "demo.als" is also created. All the original files from the "My Documents" folder are deleted. A file called "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt" is dropped in the same folder. It contains the following text:

 

This is the automated report generated by auto archiving software.

 

Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password.

 

You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).

 

Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information.

 

WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you. You can even EARN extra money with us. If you really care about the documents and information in encrypted file, you should follow the instructions below.

 

This is your only way to get your files back and save your time.

------------------------------

How to get your information back.

 

1. Follow any link below

 

http://******************.****/?833F866fe62adAd883cc38bcd6b0Tdaa

http://******************.****/?82Fdf3abfb7Abc9385ed1c26afT6bb6e

http://*********************.****/?12aba12eF79ef8A4bf7f9bd49Tfc6690

 

and enter our online pharmacy. Our online pharmacy is the world leader in FDA approved medications.

 

2. Choose any product you like and buy it.

 

3. Send an email with your order id to our email address restoring@****-****.*** or restoringfiles@*****.***

 

The password will be sent to your email address as soon as we verify your order id (usually 3-4 hours or shorter) and you will get your information in encrypted file back. All the emails with invalid order ids will be ignored.

------------------------------

We do not ask you for any money! We guarantee that you will receive the product you buy! You can use it by yourself or even sell and earn extra money because all the products in our online pharmacy are discounted!

 

We guarantee that you will receive the password for encrypted file as soon as you buy any product in our online pharmacy.

 

We guarantee that you will be able to restore all the encrypted information and we can prove it. Doubleclick on the file Demo.als and enter the following password:

 

kw9fjwfielaifuw1u3fw3brue2180w3hfse2

 

The encrypted information will be restored in several seconds. The file EncryptedFiles.als is encrypted with another password which you will receive in the email from us.

default = path to Win32/Archiveus.A executable

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ALS\shell\open\command\

default = path to Win32/Archiveus.A executable

 

The registry values point to the original location where the program was executed from. The Trojan doesn't copy its executable in any fixed place in the system.

 

When an .ALS file is double-clicked, it is opened by Win32/Archiveus.A. A window pops up and the user may choose to unpack the .ALS archive. A password prompt appears. If the password is correct, the archive is unpacked. The original folder structure is ignored; all files end up in the "My Documents" folder.

 

The password that works for all archives is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". The demo password is "kw9fjwfielaifuw1u3fw3brue2180w3hfse2", it only works for archives with a single file inside.

default = path to Win32/Archiveus.A executable

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ALS\shell\open\command\

default = path to Win32/Archiveus.A executable

 

The registry values point to the original location where the program was executed from. The Trojan doesn't copy its executable in any fixed place in the system.

 

When an .ALS file is double-clicked, it is opened by Win32/Archiveus.A. A window pops up and the user may choose to unpack the .ALS archive. A password prompt appears. If the password is correct, the archive is unpacked. The original folder structure is ignored; all files end up in the "My Documents" folder.

 

The password that works for all archives is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". The demo password is "kw9fjwfielaifuw1u3fw3brue2180w3hfse2", it only works for archives with a single file inside.

Win32/Archiveus.A is a Trojan that packs user's documents and only restores them if a password is provided. The author would make the password available in exchange for a purchase in an online pharmacy. The files are in fact not encrypted, but only joined in a single file with rather simple structure. The program is written in Visual Basic.

 

When the program is executed, it packs all files in "My Documents" folder into a single file called "encryptedfiles.als". A smaller archive called "demo.als" is also created. All the original files from the "My Documents" folder are deleted. A file called "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt" is dropped in the same folder. It contains the following text:

 

This is the automated report generated by auto archiving software.

 

Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password.

 

You can not guess the password for your archived files - password length is more than 30 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).

 

Do not try to search for a program that encrypted your information - it simply does not exist in your hard disk anymore. Reporting to police about a case will not help you, they do not know the password. Reporting somewhere about our email account will not help you to restore files. Moreover, you and other people will lose contact with us, and consequently, all the encrypted information.

 

WE DO NOT ASK YOU FOR ANY MONEY! We only want to do business with you. You can even EARN extra money with us. If you really care about the documents and information in encrypted file, you should follow the instructions below.

 

This is your only way to get your files back and save your time.

------------------------------

How to get your information back.

 

1. Follow any link below

 

http://******************.****/?833F866fe62adAd883cc38bcd6b0Tdaa

http://******************.****/?82Fdf3abfb7Abc9385ed1c26afT6bb6e

http://*********************.****/?12aba12eF79ef8A4bf7f9bd49Tfc6690

 

and enter our online pharmacy. Our online pharmacy is the world leader in FDA approved medications.

 

2. Choose any product you like and buy it.

 

3. Send an email with your order id to our email address restoring@****-****.*** or restoringfiles@*****.***

 

The password will be sent to your email address as soon as we verify your order id (usually 3-4 hours or shorter) and you will get your information in encrypted file back. All the emails with invalid order ids will be ignored.

------------------------------

We do not ask you for any money! We guarantee that you will receive the product you buy! You can use it by yourself or even sell and earn extra money because all the products in our online pharmacy are discounted!

 

We guarantee that you will receive the password for encrypted file as soon as you buy any product in our online pharmacy.

 

We guarantee that you will be able to restore all the encrypted information and we can prove it. Doubleclick on the file Demo.als and enter the following password:

 

kw9fjwfielaifuw1u3fw3brue2180w3hfse2

 

The encrypted information will be restored in several seconds. The file EncryptedFiles.als is encrypted with another password which you will receive in the email from us.

default = path to Win32/Archiveus.A executable

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ALS\shell\open\command\

default = path to Win32/Archiveus.A executable

 

The registry values point to the original location where the program was executed from. The Trojan doesn't copy its executable in any fixed place in the system.

 

When an .ALS file is double-clicked, it is opened by Win32/Archiveus.A. A window pops up and the user may choose to unpack the .ALS archive. A password prompt appears. If the password is correct, the archive is unpacked. The original folder structure is ignored; all files end up in the "My Documents" folder.

 

The password that works for all archives is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". The demo password is "kw9fjwfielaifuw1u3fw3brue2180w3hfse2", it only works for archives with a single file inside.

default = path to Win32/Archiveus.A executable

 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ALS\shell\open\command\

default = path to Win32/Archiveus.A executable

 

The registry values point to the original location where the program was executed from. The Trojan doesn't copy its executable in any fixed place in the system.

 

When an .ALS file is double-clicked, it is opened by Win32/Archiveus.A. A window pops up and the user may choose to unpack the .ALS archive. A password prompt appears. If the password is correct, the archive is unpacked. The original folder structure is ignored; all files end up in the "My Documents" folder.

 

The password that works for all archives is "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". The demo password is "kw9fjwfielaifuw1u3fw3brue2180w3hfse2", it only works for archives with a single file inside.