A new method to monetize scareware

Scareware in the form of Rogue AntiVirus software, such as XpAntiVirus2009, has long been a way to monetize infected computers.  Previously, the Rogue AVs would present you with screens that listed malware you didn't have, and for a nominal fee, you could buy the full version and clean the "infections".

Over the past couple days, Vundo has been pushing a piece of malware that encrypts various personal file types (.pdf, .doc, .jpg, etc) on your system, and "coincidentally", pushes a program called FileFix Pro 2009 which would decrypt them - for a fee.  Although we (Julia) broke the encryption, it's a sobering realization of the state of malware that it is now actively extorting users by holding their data ransom.  Despite this version of FileFix being trivial to crack, it does not bode well for the future of Internet malware.

Vundo has fundamentally altered its criminal business

model from "Scareware" tactics to "Ransomware" extortion.  While a user may be "silly" to buy into scareware, they

have little choice but to purchase the decryption software once the

ransomware does its thing.

Julia wrote a Perl script to decrypt your files that is available here under a your gun, your foot GPL license.  She'll be writing up more of the technical details in the next day or two.  In the meantime, I've wrapped a web interface around the Perl script so you can retrieve your "corrupted" data.  It's available at . In the coming days we'll be releasing a tool you can download that will decrypt all the affected files on your system.


Vundo is a generic Trojan that is well known for pushing scareware popups for things like XpAntiVirus and WinFixer.  In this case it was pushing a popup that ended up being a Trojan which encrypted all the documents (rendering them unreadable) on your system.  We've also heard from Steve Grossman, an analyst at Northeastern University, who mentions that he's seen the malware distributed using a fake .mp3 file on LimeWire.  The variant most have seen creates a .dll file on the system called fpfstb.dll which does all the malicious actions.

Below you can see the webpage for the "fix", FileFixPro.com... which they clearly did not QA on FireFox 3 under Linux.


It looks professional enough, but interestingly is using server-side polymorphism (or perhaps a ton of binaries) to give me a different executable every time I download it.  I assume this is to aggravate AntiVirus detection, which appears to be working as the samples I fetched are currently 0/39 on VirusTotal.  Yikes.

Upon downloading you'll see screenshots like this (credit: filefixpro.com)




A whois on the IP of FileFixPro.com shows that it's hosted at ThePlanet, and you could have knocked me over with a feather when I found out its IP was registered to an organization out of the Ukraine.


The level of egregiousness of the folks at FileFixerPro has me completely floored.  I didn't think this day would be upon us so soon.

External link discussing the threat:

DevShed Forums

Also, a very special thanks to the folks at Bleeping Computer, as well as Andrew Kahn and Max Turkewitz from Northeastern, for providing us with infected files to help test our tool.

Alex Lanstein @ FireEye Malware Intelligence Lab
Questions/Comments to research [@] fireeye [.] com