<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">I know someone who got this on their Win2k3 SBS Server – got in via the RDP vulnerability using brute force before it was made known – they encrypted every single document, pdf, qbw, jpg etc.. deleted all backups
and demanded $2500 to send the “password” for the files which wasn’t going to happen (reading up reports they never send the password anyway) – they ended up losing pretty much everything. It’s a nasty nasty piece of work.. They have since changed their RDP
port from 3389 to something way up high, plus upgraded from server 2k3. There’s a lot of “fake” variants of the ransomware floating about as well that comes in via emails.. combofix does a good job at those ones though.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#00629F;mso-fareast-language:EN-AU">Mike Manning</span></b><span style="font-size:13.5pt;font-family:"Arial","sans-serif";color:black;mso-fareast-language:EN-AU"><br>
</span><b><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray;mso-fareast-language:EN-AU">Senior Technician</span></b><span style="font-size:13.5pt;font-family:"Times New Roman","serif";color:black;mso-fareast-language:EN-AU"><br>
<br>
</span><b><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#00629F;mso-fareast-language:EN-AU">Matilda Internet</span></b><span style="font-size:13.5pt;font-family:"Times New Roman","serif";color:black;mso-fareast-language:EN-AU"><br>
</span><span style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:gray;mso-fareast-language:EN-AU">________________</span><span style="font-size:13.5pt;font-family:"Times New Roman","serif";color:black;mso-fareast-language:EN-AU"><br>
<br>
</span><span style="font-size:7.5pt;font-family:Wingdings;color:#A18C4C;mso-fareast-language:EN-AU">(</span><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#A18C4C;mso-fareast-language:EN-AU">Telephone +61 7 4953 0711</span><span style="font-size:13.5pt;font-family:"Arial","sans-serif";color:#A18C4C;mso-fareast-language:EN-AU"><br>
</span><span style="font-size:7.5pt;font-family:Wingdings;color:#A18C4C;mso-fareast-language:EN-AU">(</span><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#A18C4C;mso-fareast-language:EN-AU">Fax +61 7 4953 0717<br>
29 Gregory Street, Mackay, QLD 4740, Australia<br>
</span><span style="font-size:7.5pt;font-family:Wingdings;color:#00629F;mso-fareast-language:EN-AU">*</span><span style="font-size:13.5pt;font-family:"Times New Roman","serif";color:black;mso-fareast-language:EN-AU"> </span><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#00629F;mso-fareast-language:EN-AU">Email</span><span style="font-size:13.5pt;font-family:"Times New Roman","serif";color:black;mso-fareast-language:EN-AU"> </span><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:#00629F;mso-fareast-language:EN-AU"><a href="mailto:mike@matilda.net.au"><span style="color:blue">mike@matilda.net.au<br>
</span></a>Website</span><span style="font-size:13.5pt;font-family:"Times New Roman","serif";color:black;mso-fareast-language:EN-AU"> <a href="http://www.matilda.net.au/"><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:blue">www.matilda.net.au<br>
</span></a><br>
<br>
</span><span style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray;mso-fareast-language:EN-AU">This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom it is addressed.
If you are not the recipient be advised that you have received this email in error and that any use, dissemination, forwarding, printing copying or use of the contents contained in this e-mail and any file attachments is strictly prohibited. If you have received
this email in error please immediately notify the sender by telephone or by reply email to the sender. You must destroy the original transmission and its contents. It is recommended that you virus test the information and any attachments. Matilda Internet
does not accept liability for any loss or damage howsoever occurred as a result of this email transmission or any attachments to it.</span><span style="font-size:13.5pt;font-family:"Times New Roman","serif";color:black;mso-fareast-language:EN-AU"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:EN-AU">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";mso-fareast-language:EN-AU"> Daniel
Pearson [mailto:dpearson@pingco.com.au] <br>
<b>Sent:</b> Wednesday, 23 October 2013 9:57 PM<br>
<b>To:</b> AusNOG@lists.ausnog.net<br>
<b>Subject:</b> [AusNOG] CryptoLocker Virus<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Not sure if anyone else has come across this nasty piece of work…. Definitely worth everyone knowing about it. Already has caused havoc for a number of people I know. New versions look at network resources and delete *.bak, *.vbk etc… so
even backups will become encrypted.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Anyway just thought I would make sure everyone is aware of it.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">DP<o:p></o:p></p>
</div>
</body>
</html>