Solution for Archiveus ransom virus

A virus that locks users out from the files in their My Documents folder has been cracked.

The Archiveus virus (or more accurately a Trojan ) merges all the files in the My Documents folder into one big password protected file. The original files are then deleted and a text document is created with instructions for recovering the files.

Rather than demand money to return the files the instructions demand that the user goes to an online pharmacy and make an order.

To return the files the user must double click on a file called Demo.als, which will prompt for a password. The password is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw

Alternatively the following password works if the EncryptedFiles.als is run instead. The password for this is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw .

The instructions for removal from the security company Sophos warn users not to delete the virus files before entering the password and recovering the files.
Despite claims by the virus that it has encrypted the files, they are merely joined together. For most users the effect is much the same though and the files are inaccessible.

Security site Lurhq claims that the password was actually present in the program file so it was not difficult to find even with "beginner-level reverse-engineering".

One of the email addresses used by the virus is a Yahoo address. We have contacted Yahoo to ask if it is looking into this matter.

Archiveus is not the first virus to try and extort money from users.

See also:

Barclays gives anti-virus software to customers

Anti-virus firm F-Secure to issue 1.6m software licences  26 May 2006

Fantasy football virus spreads using Excel files

Soccer virus hits the back of the net  08 May 2006

Virus emails drop to record low

But phishing attacks soar  04 May 2006

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!