1

Today while investigating the frequent freeze of my windows 10 machine I found some mysterious folders in each of my drive containing some files. Folders are hidden and readonly. Most of these files do not open but some files open but have text not understandable.

like in

C Drive contains

Folder name : Xstorage172

Contains Files

arrange-meaning.rtf - 89KB gave-thick-found-shopping.pem - 50KB independenceplasterbombers.docx - 272KB jointhumblelendreplacement.mdb - 198KB laboratory complement amongst manufacturer.sql - 19KB mike-changes.txt - 39KB one_pursue_degree_succeeded.jpg - 276KB screw.chamber.quantity.divide.xlsx - 495KB touch_guess_goal.doc UOA1ao6zzjvk.xls - 400KB UOA1ao6zzjvk.xls - 69KB

D Drive contains two folders

Vcaches191 and ysystem45

Vcaches191 folder contains Files

accordingly_person_nato_spectrum.xlsx clubs.production.confirmed.therefore.doc CSW.docx detriment education deck focus.rtf devil_numerous_higher.jpg innovationyork.txt interviews consequent sword bearing.xls receive_relatively.mdb resistance.dominated.processes.pem rope visual voting.sql

and

ysystem45 folder contains files

8EAo.xlsx coefficient.language.race.pem completelywindsadult.mdb dense annoy species.docx graduatecumbersome.xls lift formerlyorder.txt LKZlHp2Fyq1.rtf swept-males-snakes.jpg whereas furnish want.doc xbP3GhRM.sql

See the pattern. Each folder have same type of files but with different names. Is this some kind of virus or malware???

One more thing. Files' create date is of today's when I turned on the system.

Files' content links (due to less than 10 reps I am unable to link all files in seperate links. I am pasting link of my "pastebin" profile where you can find contents of following files.)

C:\Xstorage172\gave-thick-found-shopping.pem C:\Xstorage172\laboratory complement amongst manufacturer.sql C:\Xstorage172\mike-changes.txt

Pastebin profile

Mutahhar
  • 13
  • 1
  • 4
  • 2
    *Hello, and welcome to InfoSec Exchange*, part of the Stack Exchange family of sites. It certainly looks like several files with random English words put together with some arbitrary extension placed on the end. Could you possibly give some file sizes, and the contents of the files? – dark_st3alth Feb 04 '17 at 06:22
  • @dark_st3alth Most of the files give error while opening. like `.xlsx`, `.docx`, `.jpg` etc. only `.pem`, `.sql`, `.txt` can be opened but have very long text that can not b put in question due to character limitation. Let me put content of those file some where else and link them here. – Mutahhar Feb 04 '17 at 06:37
  • Interestingly enough, they look like PGP blocks in the files. I haven't seen something like this before... – dark_st3alth Feb 04 '17 at 09:03
  • 1
    Looks similar to this http://security.stackexchange.com/questions/148511/can-you-recognize-this-virus/148514#148514 – iainpb Feb 04 '17 at 16:06
  • @iain Thanks for pointing me to the right direction. I have actually installed Cybereason RansomFree – Mutahhar Feb 04 '17 at 17:54
  • This question is better worded than the other one it leads to. Useful question title, filenames in text not in pictures... – lolesque Nov 16 '21 at 09:57

1 Answers1

0

The names are generated, so you definitely it looks like some kind of infestation.

But it looks like RansomFree, a program that creates fake known types of files and monitors these files, and whenever they change, it detects the originating process and pauses it.

Be aware that other malware may trick you and do something similar.

Overmind
  • 8,779
  • 3
  • 19
  • 28