Jump to content

MBAM Fails to detect !Decrypt ransomware Infection


Recommended Posts

on 7Jan2016 I received an email purporting to be from UPS re an undelivered parcel

I foolishly opened AND agreed to execute the attachment

since then I discover many files on my hard drive have been replaced with a smaller file with file type "nanrcnnn" and additional files named "!Decrypt-All-Files-nanrcnn.bmp" that display a message inviting me to send money so my rubbished files can be decrypted.

I have not responded to the invitation. Am attempting to clean and restore my laptop however am concerned that the virus code may still be executable and may reactivate.

I am looking for some way of discovering the virus code and removing it from my machine

Please see attached text copy of the email including all headers and the attachement also a sample of the notification image

 

Edited by AdvancedSetup
Undesirable files removed.
Link to post
Share on other sites

Please do NOT post malware here. 

Please read and follow forum policies they are here to protect people from malware.  Careless action can get people infected.

 

MBAM detects it as "Trojan.Agent"

https://www.virustotal.com/en/file/97108fa4e1ae64eb5a8837b2dd3c1daf3bab276f5333e0b78dbd6e9a53d1aa2a/analysis/1455944905/

Link to post
Share on other sites

David

 

thank you very much for your quick response

 

.... interesting it seems the trojan is well known, did you in fact run the actual tests on the text data that I supplied?

If so does this mean that the attachment to the email is dangerous but would need to be executed to cause damage?

 

I anticipated the policy so included the trojan as a text file appended to the email which I assumed would be difficult to actually execute

 

is there somewhere that the actual spam code can be supplied so it can be researched?

 

btw the way, I have run MBAM Threat scan on my laptop, it found a few PUPs but did not report any "trojan agent".... the email was still in my Spam email folder... is it surprising that the presence there should at least have been noted?

 

of course I may already have (manually) removed the actual virus executable that I foolishly installed but am nervous as I go through the process of deleting thousands (about 80,000 so far) of files that have the suffix nanrcnn added to their original name

 

should I be comfortable that MBAM has indicated the machine is clear of the virus in active form?

Link to post
Share on other sites

David

 

thank you very much for your quick response

 

.... interesting it seems the trojan is well known, did you in fact run the actual tests on the text data that I supplied?

If so does this mean that the attachment to the email is dangerous but would need to be executed to cause damage?

 

I anticipated the policy so included the trojan as a text file appended to the email which I assumed would be difficult to actually execute

 

is there somewhere that the actual spam code can be supplied so it can be researched?

 

btw the way, I have run MBAM Threat scan on my laptop, it found a few PUPs but did not report any "trojan agent".... the email was still in my Spam email folder... is it surprising that the presence there should at least have been noted?

 

of course I may already have (manually) removed the actual virus executable that I foolishly installed but am nervous as I go through the process of deleting thousands (about 80,000 so far) of files that have the suffix nanrcnn added to their original name

 

should I be comfortable that MBAM has indicated the machine is clear of the virus in active form?

 

 

You renamed a .TXT file that is MIME encoded and thus it was in the .EML format.  By renaming it back to .TXT and then posting it, you thwarted the system attachment settings.  The .TXT contained the attachments in a Base64 encoded format which represented a ZIP file that contained the malware.  Since all members and guest are allowed to download attachments in this sub-forum that was a bad move so the Forum Administrator removed the attachments to protect the innocent from being infected.

 

Malware can only be submitted in the Research Center according to the guidelines that Malwarebytes provides.  However it is meant for undetected malware  and what you posted was already detected.  And it was a trojan and not a virus.

 

Just like the Centers for Disease Control ( CDC )  dictates conventions and protocols in the handling infectious agents.  The anti malware community also dictates conventions and protocols in the handling computer malware.

 

I would relate that the way you posted the attachment was akin to leaving an 1Igloo Little Playmate cooler containing a Petri Dish of Antrax in a public area.

 

--------

1.  Igloo Little Playmate is registered product of Igloo Products Corporation and my use of one such product is purely meant as an example and is not an endorsement of the company or their products.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.