Early in the morning, I open OfficePC, suddenly dumbfounded. In addition to the C drive of the other disk in all the folders and files are all gone, each disk, leaving only a“disk encryption”and a“technical support”of the text of the document(Figure 1). But the author never used the“disk encryption”thissoftware, nor the computer over to other people to use, what the hell is going on? Double-click the F drive in the“disk encryption Wang”pop-up“moveto decrypt”dialog box that prompts the need for a password to complete the decryption. Open the disk in“technical support”text file, found in the document left a QQ number, contact you to inform you want to decrypt the need to pay RMB three hundred Yuan. The author of the computer a few days ago and just installed a genuine copy of Windows XP SP2 and therising2 0 0 6antivirussoftware, using Windows XP the system comes withfirewall, did not expect yesterday in the Internet or by hackers quietly invasion.
For this case, the author first looks to be encrypted several disk space, find disk space with encrypted than before and not reduced. The author confirm that the disk data is not lost, but is an ulterior motive of people use software encryption. The author of startup Rising-2 0 0 6 Avira Antivirus, No virus found, with the Swiss Star 2 0 0 6 scanning the D and E disk, are scan by the author save in the disk folders and files, except that they are saved in a file called“Thumbs. dn”folder. But from“my computer”to open the corresponding disk but unable to view into this folder, and therefore can not get stored on disk.
The author had previously used WinRAR to view through the hidden in the disk folders and files. Can by WinRAR find the hidden“Thumbs. dn”folder? The author open the WinRAR, use the“File”menu in the“change drive”switch to the F disk. In the WinRAR main window, F disc includes“Thumbs. dn”including all hidden objects are displayed(Figure 2).
By finding the relevant information was informed that the“disk encryption”is actually a“high strength folder encryption master”disk encryption software. It is not subject to the system impact, not decrypt the password even if the system re-installation, Ghost restore, the data is still encrypted. So, no passwords are generally not easy to crack.
After the author of the analysis,“high strength folder encryption master”to the folder and file encryption, in essence, is the folder and file name for the encrypted folder and the file itself content has not changed.
On the folder encryption, software encryption path under all the folders were renamed processing, the original folder name is to numbers“1 to m”(m folder)for the order re-naming, and in each folder numbers name of the post codes“. in”. This code is printer system folder of the code and, therefore, decrypt folder must be this code is removed, otherwise the Get is the printer icon(Figure 3).
For file encryption, the software is also based on the digital sequence of the file name to take a name change processed, will all the file names the name of the Lord renamed as“1 to n”(n files), the extension changed to“. mem”is.
In“the Thumbs. dn”folder there are two files worth our attention, i.e.,“1 1 7 7 8 9 6 8 7”and“117789687list. mem”, the two file is stored in the password related information. Among them, the“117789687list. mem”file is stored in the encryption folder and file name of the data and with the encrypted folder and file name of the corresponding relationship information. However, software developers have to the two files the data the algorithm is processing, not software developers to provide the password table, we are unable to obtain password information. In addition, in the“%systemroot%\\system32\\”there is such a file“danine.dll”it records the software has now been encrypted, which disk and folder information, use the“Notepad”can be opened directly to view.
Open WinRAR, click“File→change drive→F”, the switching to the need to decrypt the disk. In the WinRAR main window, double-click the“Thumbs. dn”, open the folder. In this folder, we found saved in the F drive on all folder. Each folder name of the digital number after the“.” Code deleted. Then, select all folders, click the toolbar“Add”button, will these folders compressed into one file store to E disk. Finally, extract this zip file, i.e. get all the stored in the F drive in a folder and save in folder in file.
The decryption is stored in the disk root directory of the file, we have to determine whether the file is a RAR type of file, divided into two cases.
Such a document, we can just directly select it, click the toolbar in the“extract to”, then select the file to extract the storage path, the file is directly decompressed, to achieve decryption.
For such file decryption cumbersome. First, according to the length of the file recall the original file type. If you really want it, you can try“folder Sniffer”, sniffing at the root of all“. mem”file, click in the toolbar to test the File Type tool, the test results of the file type. Then, open the WinRAR, the file name extension“. mem”with the original file type of the extension. Finally, with the toolbar in the“Add”button, the file is the compressed package is stored to the appropriate location, and then unpacked to obtain the original file.