MOLEHAND Solutions

 
ápr. 9

Written by: MOLEHAND
2015. 04. 09. 14:42

Preventív lépések:

Mint kiderült, pendrive-on is terjednek ezek a vírusok, így az AutoPlay-t/AutoRun-t tiltsuk le a gépeken!

How to prevent your computer from becoming infected by CryptoWall

You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths. For more information on how to configure Software Restriction Policies, please see these articles from MS:

http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

The file paths that have been used by this infection and its droppers are:

C:\\.exe
C:\Users\\AppData\Local\.exe (Vista/7/8)
C:\Users\\AppData\Local\.exe (Vista/7/8)
C:\Documents and Settings\\Application Data\.exe (XP)
C:\Documents and Settings\\Local Application Data\.exe (XP)
%Temp%

In order to block the CryptoWall you want to create Path Rules so that they are not allowed to execute. To create these Software Restriction Policies, you can either use the CryptoPreventtool or add the policies manually using the Local Security Policy Editor or the Group Policy Editor.

How to use the CryptoPrevent Tool:

FoolishIT LLC was kind enough to create a free utility called CryptoPrevent that automatically adds the suggested Software Restriction Policy Path Rules listed above to your computer. This makes it very easy for anyone using Windows XP SP 2 and above to quickly add the Software Restriction Policies to your computer in order to prevent CryptoWall and Zbot from being executed in the first place. This tool is also able to set these policies in all versions of Windows, including the Home versions.

CryptoPrevent

A new feature of CryptoPrevent is the option to whitelist any existing programs in %AppData% or %LocalAppData%. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer. To use this feature make sure you check the option labeled Whitelist EXEs already located in %appdata% / %localappdata% before you press the Block button.

You can download CryptoPrevent from the following page:

http://www.foolishit.com/download/cryptoprevent/

For more information on how to use the tool, please see this page:

http://www.foolishit.com/vb6-projects/cryptoprevent/

Fertőzés után:

A titkosított fájlok kilistáztathatók ezzel a toolal:
http://www.bleepingcomputer.com/download/listcwall/

Az árnyékmásolatok (ha még nem törölte őket a vírus) kényelmesen böngészhetőek ezzel a toolal:
http://www.shadowexplorer.com/downloads.html

Ha mázlink van, olyan verzió fertőzte meg a gépet, aminek a kódját már sikerült visszafejteni. Ekkor a sok közül az egyik titkosított fájlt az erre a célra létrehozott oldalra feltöltve ki tudják kalkulálni nekünk a kititkosító kódot.
 

Tags:

Your name:
Title:
Comment:
Security Code
Enter the code shown above in the box below
Add Comment    Cancel  
 

 

Discount offer

 I’ve already tried several providers. Currently all of our projects are placed at MOLEHAND, because they provide real services not only a piece of a computer. Any kind of new problem crops up, I can always count on a fast and expert reaction.