A friend had a virus on his computer, and removed it. Now it seems that all of his word documents are gibberish. The files are gibberish on other computers, so we're not talking corrupted fonts. It is just word documents. Also, new files are non-gibberish. It sounds like some sort of ugly malware has encrypted his stuff, but there is no lingering trace of it on the machine. Repairing the files via Word and 3rd party utilties returns yet more gibberish. I have read something like this here:

http://www.msofficeforums.com/word/1034-fileerror_22001-new-virus.html

Seems ever since last year, new viruses have been using encryption as a means of f**king up ppl's lives. That's just what it sounds like. He lost some --really-- important stuff. Everyone he's talked to has been stumped, me included. Any ideas???

Everyone he's talked to has been stumped, me included. Any ideas???
Yes; both preventative.
1) Take backups!!
2) Use a real operating system (Linux)

Is it the same as described in that thread, in that encrypted versions of the files reside in two directories under Docs & Settings? If it's the same, then someone's released a decryption utility for them already (listed in that thread).

If not, and if you can't find reference to the exact same infection you're describing, it will be a case of comparing a corrupted file to a backup copy to determine if it has *just* undergone encryption. Then it's probably a case of acquiring a copy of the virus, disassembling it and working out how its encryption algorithm operates. Then you'd need to write an app to reverse the process.

But without a backed up file to compare, you won't even know if the files have just been encrypted, or if much worse has been done (removing data, randomising data, ...).

I would take an image of the drive too before going any further; cleaning the virus could remove very important data, such as the salt(s) used for the encryption algorithm!

Hey Ace,

Actually it is not the same as described in that thread. In retrospect, I don't think those files were encrypted...I think they were infected, and the removal of the culprit permanently messed them all up.

At any rate, if there were an encryption key left behind, the A/V program and a subsequent reformat (done against my advice) would have made sure that its long gone.

Everyone he consulted agrees that his data is probably toast :bball: He has a backup of the damaged files, just in case someone finds how to recuver them. And unfortunately, trying to discover the encryption algorithm (which seems to have eluded some ppl in that thread) is far beyond my skill =/

Oh well... it sounds like you're right; not much left over to check. Unless the program left a distinctive header at the top of the files it screwed up which can be used to identify the particular malicious software, it doesn't look promising. Aside from trying some common ciphers, he's pretty much screwed - and without any backups to verify against, it can't really be automated either :(

I wish him the best of luck with it though!

Thanks for trying. Maybe we all learned a little something about cryptovirology (and backing up data) :D