A new cryptolocke attack has been spreading through plain text links that mimic a service that some people use and provides a link to a dropbox file. While we are sure that Dropbox is working on a fix, we suggest that you do not click on any email links to dropbox file in the near future.
Here is an example of one of the emails you might receive:
Example Email- Discard any email that looks like :
From: fax [mailto:fax@[your domain] ] Sent: Thursday, June 05
To: [Your Email] Subject: You’ve received a new fax
New fax at SCAN4226279 from EPSON by https://[your domain] Scan date: Thu, 5 Jun 2014 13:33:35 -0600 Number of pages: 2
Resolution: 400×400 DPI
You can download your fax message at:
https://www.dropbox.com/meta_dl/(random alphanumeric code)
A great resource to help find, fight and prevent the virus can be found here by the good people at bleeping computers:
They even provide a link to a prevention tool. Here is an except from the guide:
How to prevent your computer from becoming infected by CryptoLocker
You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths. For more information on how to configure Software Restriction Policies, please see these articles from MS:
The file paths that have been used by this infection and its droppers are:
C:\Documents and Settings\<User>\Application Data\<random>.exe (XP)
C:\Documents and Settings\<User>\Local Application Data\<random>.exe (XP)
In order to block the CryptoLocker and Zbot infections you want to create Path Rules so that they are not allowed to execute. To create these Software Restriction Policies, you can either use the CryptoPrevent tool or add the policies manually. Both methods are described below.
How to use the CryptoPrevent Tool:
FoolishIT LLC was kind enough to create a free utility called CryptoPrevent that automatically adds the suggested Software Restriction Policy Path Rules listed below to your computer. This makes it very easy for anyone using Windows XP SP 2 and above to quickly add the Software Restriction Policies to your computer in order to prevent CryptoLocker and Zbot from being executed in the first place.
A new feature of CryptoPrevent is the option to whitelist any existing programs in %AppData% or %LocalAppData%. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer. To use this feature make sure you check the option labeled Whitelist EXEs already located in %appdata% / %localappdata% before you press the Block button.
You can download CryptoPrevent from the following page:
For more information on how to use the tool, please see this page:
Once you run the program, simply click on the Block button to add the Software Restriction Policies to your computer. If CryptoPrevent causes issues running legitimate applications, then please see this section on how to enable specific applications. You can also remove the Software Restriction Policies that were added by clicking on the Undo button.