Strange file with untranslateable text appeared in my roaming folder (edit: it's malware)

All Discussions > Steam Forums > Off Topic > Topic Details

lleftyy Apr 19, 2017 @ 1:53pm

Earlier this afternoon, a Windows Defender notice popped up on my computer saying something along the lines of "We've found a file on your computer we would like to analyze to improve our virus and malware detection." Obviously I didn't want to immediately click okay and send a report to MS about it without first knowing what the file was, so I checked it out.

The file in question was titled "Tepehodila," and was a hidden file in my Roaming folder. I opened it up in Notepad++, and the file has this header at the top:

This program is distributed in the hope that it will be useful, ' but WITHOUT ANY WARRANTY; without even the implied warranty of ' MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ' ' --------------------------------------------------

Unfortunately, that's the only readable text in the entire file. The rest is total gibberish, such as this:

Cemofo ranub homit 1906 sedetare pakogeni soba logetoca goru bagatohe cugihoni kepef macotap moga cuf gosesam.

The whole thing is 180 lines long, and all of it is text like the line above except for 7 lines of code which I don't have the expertise to understand.

Frankly, I'm baffled at what this might be because I haven't been able to find any repeating words or anything that translates to English in Google Translate. I don't think it's total random gibberish though, because as you can see above there's a year randomly in the middle of the text, as well a few other longer 5-digit numbers.

If someone is interested in investigating this or could give me directions on where to go to get answers, then I'll put the whole file on pastebin or something. As it stands, I'm not going to paste the whole thing here, in case it's something dangerous.

edit: According to Malwarebytes it is malware, and I've quarantined it, but I'm still curious what its function is since there's no info about it on the internet.

Last edited by lleftyy; Apr 19, 2017 @ 2:31pm

< >

Showing 1-15 of 18 comments

HypersleepyNaputunia Apr 19, 2017 @ 1:57pm

that looks like its maybe romanian or a slavic language.

moga cuf gosesam = I can bloom bossom in blulgarian

Its weird like a semi gibberish
Pakogeni - packaged?
logetoca - logic, computer
sedetare - romanian, latin based lang?
tepehod - tepe - warm? hod - to move? (steam?)

Last edited by HypersleepyNaputunia; Apr 19, 2017 @ 2:14pm

remedy Apr 19, 2017 @ 1:59pm

maybe it's timor leste

lleftyy Apr 19, 2017 @ 2:02pm

Also, the 7 lines of code in the file have some really long hex strings.

lleftyy Apr 19, 2017 @ 2:06pm

Just ran a Malwarebytes scan, and "Tepehodila" came up as malware. I'm going to quarantine it, but I'm still curious what the text means, so if anyone has a definite answer that'd be cool.

SpicyPepperoni Apr 19, 2017 @ 2:07pm

Save it and send it to me.

The Artificer Apr 19, 2017 @ 2:07pm

Honestly. just have that ridden of.
99.9% sure its a virus.

lleftyy Apr 19, 2017 @ 2:10pm

Originally posted by Jayfeather:
Honestly. just have that ridden of.
99.9% sure its a virus.

It is a virus, yeah. I quarantined it already, but I was curious what exactly its function is because I can't find any information about it on the internet.

The Artificer Apr 19, 2017 @ 2:10pm

Originally posted by Llefty:
Originally posted by Jayfeather:
Honestly. just have that ridden of.
99.9% sure its a virus.
It is a virus, yeah. I quarantined it already, but I was curious what exactly its function is because I can't find any information about it on the internet.

Most likely to ruin your day.
And its probably new. or your just REALLY unlucky. and its rare.

lleftyy Apr 19, 2017 @ 2:16pm

Originally posted by Jayfeather:
Originally posted by Llefty:
It is a virus, yeah. I quarantined it already, but I was curious what exactly its function is because I can't find any information about it on the internet.
Most likely to ruin your day.
And its probably new. or your just REALLY unlucky. and its rare.

Yeah, I thought this might be the case. The fact that the Windows Defender notification popped up asking me to let Microsoft analyze the file makes me think it's a really new virus that hasn't been identified much before (although it obviously isn't totally new since Malwarebytes recognizes it).

lleftyy Apr 19, 2017 @ 2:23pm

Here's a paste of the whole file for anyone who's curious:

https://pastebin.com/UhtpGpmT

I'm not certain if my posting this is allowed or not, so apologies if I'm breaking a rule by putting that up here.

Last edited by lleftyy; Apr 19, 2017 @ 2:24pm

#10

Γαῖα Apr 19, 2017 @ 2:46pm

Whats its file type ?

#11

lleftyy Apr 19, 2017 @ 2:56pm

Originally posted by Γαῖα:
Whats its file type ?

It doesn't have one, it's just referred to as "File".

#12

Azza ☠ Apr 19, 2017 @ 3:15pm

The top part is just meaningless random comment filler, this is used to buff out the size of the virus and try hide it more.

The escaped code is the real stuff, for example:

%46%75%6E%63%74%69%6F%6E%20%57%72%69%74%65%52%65%67%28%52%65%67%50%61%74%68%2C%20%56%61%6C%75%65%2C%20%52%65%67%54%79%70%65%29%3A%4F%6E%20%45%72%

Means...

Function WriteReg(RegPath, Value, RegType):On Er%

It's a function for writing into your Windows registry and adding itself to your Windows startup.

It creates: %53%63%72%69%70%74%43%6F%6E%74%72%6F%6C

Which is "ScriptControl"

Using: %56%42%53%63%72%69%70%74

Which is "VBScript" (Visual Basic programming language)

Then creates a folder: C:\Users\User\AppData\Roaming\500D7A~1\synhelpe%

With a file: Rifalegab.Exec

and Executes WScript.Shell (a run commend upon it)

Then there's more random comment filler at the end.

Last edited by Azza ☠; Apr 19, 2017 @ 3:17pm

#13

lleftyy Apr 19, 2017 @ 3:27pm

Originally posted by Azza ☠:
The top part is just meaningless random comment filler, this is used to buff out the size of the virus and try hide it more.

The escaped code is the real stuff, for example:

%46%75%6E%63%74%69%6F%6E%20%57%72%69%74%65%52%65%67%28%52%65%67%50%61%74%68%2C%20%56%61%6C%75%65%2C%20%52%65%67%54%79%70%65%29%3A%4F%6E%20%45%72%

Means...

Function WriteReg(RegPath, Value, RegType):On Er%

It's a function for writing into your Windows registry and adding itself to your Windows startup.

It creates: %53%63%72%69%70%74%43%6F%6E%74%72%6F%6C

Which is "ScriptControl"

Using: %56%42%53%63%72%69%70%74

Which is "VBScript" (Visual Basic programming language)

Then creates a folder: C:\Users\User\AppData\Roaming\500D7A~1\synhelpe%

With a file: Rifalegab.Exec

and Executes WScript.Shell (a run commend upon it)

Then there's more random comment filler at the end.

Thanks for telling me about that folder, I just checked it out and found something called synhelper.exe. Checked it out online, and it turns out it's associated with some kind of ransomware?

Thank god I removed it before anything happened, ransomware sucks big time.

#14

Azza ☠ Apr 19, 2017 @ 3:45pm

Originally posted by Llefty:
Originally posted by Azza ☠:
The top part is just meaningless random comment filler, this is used to buff out the size of the virus and try hide it more.

The escaped code is the real stuff, for example:

%46%75%6E%63%74%69%6F%6E%20%57%72%69%74%65%52%65%67%28%52%65%67%50%61%74%68%2C%20%56%61%6C%75%65%2C%20%52%65%67%54%79%70%65%29%3A%4F%6E%20%45%72%

Means...

Function WriteReg(RegPath, Value, RegType):On Er%

It's a function for writing into your Windows registry and adding itself to your Windows startup.

It creates: %53%63%72%69%70%74%43%6F%6E%74%72%6F%6C

Which is "ScriptControl"

Using: %56%42%53%63%72%69%70%74

Which is "VBScript" (Visual Basic programming language)

Then creates a folder: C:\Users\User\AppData\Roaming\500D7A~1\synhelpe%

With a file: Rifalegab.Exec

and Executes WScript.Shell (a run commend upon it)

Then there's more random comment filler at the end.

Thanks for telling me about that folder, I just checked it out and found something called synhelper.exe. Checked it out online, and it turns out it's associated with some kind of ransomware?

Thank god I removed it before anything happened, ransomware sucks big time.

You are correct.

"syntphelper.exe" is a SynTPHelper Application belonging to Synaptics Pointing Device Driver from Synaptics, Inc.

"synhelper.exe" is a faked malware posing as that, one which is commonly known as "Cerber Ransomware". This slowly encrypts your entire hard drive files over time and demands payment to get them decrypted. It uses AES-265 and RSA encryption method, making it impossible to decrypt at this time without the key from them.

Check your document files .DOC, etc, and ensure none have double extentions. If you notice this, consider running a Windows system restore if available to roll back.

Suggest you check your entire system with Spybot or similar anti-malware:
https://www.safer-networking.org/mirrors24/

#15

< >

Showing 1-15 of 18 comments

Per page: 1530 50

All Discussions > Steam Forums > Off Topic > Topic Details

Date Posted: Apr 19, 2017 @ 1:53pm

Posts: 18

Start a New Discussion

Discussions Rules and Guidelines

Report this post