Network News

X My Profile
View More Activity

Antivirus2009 Holds Victim's Documents for Ransom

Security experts are warning that some new "scareware" programs, software that tries to frighten consumers into purchasing bogus security products, also encrypt the victim's digital documents until he or she agrees to pay a $50 ransom demand.

Newer versions of scareware family Antivirus2009 warn users in a fake Windows alert that files in the "My Documents" folder are corrupt. The program then directs the victim to download a program called "FileFixerPro" to fix the supposedly corrupt files.

In fact, this version of Antivirus2009 encrypts or scrambles contents of documents in that folder, so that only users who pay $50 for a FileFixerPro license can get the decryption key needed to regain access to the files in their My Documents folder.

A number of security forums have chronicled the rise of this nasty development in scareware evolution. This thread, over at the "devshed" Web development forum, includes cries for help from a number of people who have apparently had their documents scrambled by this threat.

There is good and bad news here. The good news is the nice folks over at, a very active computer-help forum, have posted detailed instructions on how to remove FileFixerPro. The bad news is that these instructions won't help get a victim's documents back.

But there is more good news: The folks over at FireEye have figured out how to decrypt documents scrambled by this thing, and have set up a free Web-based service where victims can upload documents to have them unscrambled. Alex Lanstein, senior security researcher at FireEye, said he hopes his team can soon release a tool users can download to help decrypt the entire My Documents folder.

This is the first time I've ever heard of scareware being bundled with so-called "ransomware," but to some extent, purveyors of these scareware programs have been holding host systems hostage for several years now, bombarding users with incessant and increasingly deceptive messages about non-existent threats on the user's system, prompts that only stop once the victim has relented and agreed to pay a license for the scareware program.

This is an alarming new feature for scareware, which is one of the fastest-growing families of online threats out there today. According to a report released today by the Anti-Phishing Working Group, an industry consortium aimed at tackling cyber crime, the number of new rogue security programs increased 225 percent from 2,850 in July to 9,287 in December.

Alas, there is even more bad news: The crooks behind this scam could begin incorporating more robust encryption.

"If they had used a strong encryption method, such as something based on openssl toolkit, there wouldn't be a prayer of decrypting the files without paying," Lanstein said.

By Brian Krebs  |  March 20, 2009; 6:35 AM ET
Categories:  Fraud , Latest Warnings , Safety Tips , Web Fraud 2.0  | Tags: antivirus2009, filefixerpro, fireeye, ransomware, scareware  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Newsflash: Local Man Launches Virus Epidemic
Next: FTC Takes on


"The folks over at FireEye have figured out how to decrypt documents scrambled by this thing, and have set up a free Web-based service where victims can upload documents to have them unscrambled."

Doesn't that violate the DMCA?

Posted by: wiredog | March 20, 2009 7:38 AM | Report abuse

The FileFixerPro people actually offer a trial version that decrypts individual files at a time, but you need to install their software first. FireEye merely duplicates that capability.

Posted by: BTKrebs | March 20, 2009 8:07 AM | Report abuse

this is obviously extortion. why isn't the FBI chasing these people?

Posted by: jamesrohr | March 20, 2009 9:25 AM | Report abuse

Who says that these scammers are based in the US? The FBI would not have juristiction then right? So, who would, the CIA?

Ya, like I trust them to go after these scammers - they'd probably want a cut of the take.

Seriously though, Interpol should be looking at these guys hard, as this is an international economic fraud consortium, and needs to be shut down now before every high school nerd wanting a new MacBook picks up on this scheme!

Why are these types of frauds so prevalent? Because they can get away with it.

Posted by: edwin1 | March 20, 2009 10:27 AM | Report abuse

Anitvirus2009 is clearly a virus and/or spyware. Do the anti-virus and anti-spyware products detect this and prevent it? They should.

Posted by: trr2 | March 20, 2009 10:30 AM | Report abuse

Just a heads up that a tool was created by Bobby, of, that will scan your computer and decrypt any files that are found. It using the decryption and identification routines discovered by Julia.

The guide at was updated to include the download link and instructions on how to use this tool.

Posted by: Grinler | March 21, 2009 4:21 PM | Report abuse

So how do they pay the ransom? Surely this is traceable? Why can't this account be blocked? Aren't there any money laundering laws that would require these institutions to register with the US? I live in the UK but used to work in the US and my UK bank made me jump through hoops regarding money laundering issues when I transferred cash home. Surely the same thing applies to this ransom cash? I read that there is an awful lot of international police cooperation to sting those foul paedophile rings, so why not cooperate to catch these b*st*rds?

Posted by: bwims | March 23, 2009 7:20 AM | Report abuse

Just spent a full day removing sality virus from machine- one of the most difficult and time consuming i've come across- will jump like a forest fire -infects any thing touching computer including USB thumb drives corrupts my docs -registry -restore- etc.--a true wake-up for the need to have up-to-date virus protection

Posted by: bigbill20176 | March 23, 2009 9:43 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company