Linux.Encoder.1Added to Dr.Web virus database: 2015-11-05Virus description was added: 2015-11-06SHA1: a5054babc853ec280f70a06cb090e05259ca1aa7 (x64, UPX) 98e057a4755e89fbfda043eaca1ab072674a3154 (x64, unpacked) 810806c3967e03f2fa2b9223d24ee0e3d42209d3 (x64, FreeBSD) 12df5d886d43236582b57d036f84f078c15a14b0 (x86, UPX) 5bd6b41aa29bd5ea1424a31dadd7c1cfb3e09616 (x86, unpacked)Encryption ransomware for Linux written in C using the PolarSSL library.Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands: ./readme.crypto—file with demands, ./index.crypto—HTML file with demands.As an argument, the Trojan receives the path to the file containing a public RSA key.Once the files are read, the malicious program starts as a daemon and deletes its original files.First, the Trojan encrypts files in the following directories:/home/root/var/lib/mysql/var/www/etc/nginx/etc/apache2/var/logAfter that, Linux.Encoder.1 encrypts all files in home directories. Then the Trojan recursively traverses the whole file system starting with the directory from which it is launched; next time, starting with a root directory (“/”). At that, the Trojan encrypts only files from directories whose names start with one of the following strings:public_htmlwwwwebappbackup.git.svnAt that, the Trojan encrypts only files with the following extensions:".php", ".html", ".tar", ".gz", ".sql", ".js", ".css", ".txt" ".pdf", ".tgz", ".war", ".jar", ".java", ".class", ".ruby", ".rar" ".zip", ".db", ".7z", ".doc", ".pdf", ".xls", ".properties", ".xml" ".jpg", ".jpeg", ".png", ".gif", ".mov", ".avi", ".wmv", ".mp3" ".mp4", ".wma", ".aac", ".wav", ".pem", ".pub", ".docx", ".apk" ".exe", ".dll", ".tpl", ".psd", ".asp", ".phtml", ".aspx", ".csv"The Trojan does not encrypt files in the following directories://root/.ssh/usr/bin/bin/etc/sshTo encrypt each file, the Trojan generates an AES key. After files are encrypted using AES-CBC-128, they are appended with the .encrypted extension. Into every directory that contains encrypted files, the Trojan plants a README_FOR_DECRYPT.txt file with a ransom demand.If decryption is initiated, Linux.Encoder.1 will use a private RSA key to retrieve AES keys from encrypted files, traverse directories in the same order as when they were encrypted, and delete README_FOR_DECRYPT.txt files trying to decrypt all files with the .ecnrypted extension.Doctor Web security researchers have developed a decryption technique that may help restore files encrypted by this malicious program.
Hello,Please report these SHA-1 values to Comodo experts without the quote. 5bd6b41aa29bd5ea1424a31dadd7c1cfb3e0961698e057a4755e89fbfda043eaca1ab072674a3154Other samples are detected by Comodo database.Just SHA-1 values are enough. They can harvest them from VT, here.https://forums.comodo.com/av-false-positivenegative-detection-reporting/submit-malware-here-to-be-blacklisted-2015-no-live-malware-t108999.0.html;msg823175#newThanks
If you're not infected,then you should post it in General Security.
Thanks, I edited my post.They're asking me for a sample, I don't have any, is that okay?
Thanks, you've been very helpful