Remove a_princ@aol.com Virus. Decrypt .xtbl Files - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Remove a_princ@aol.com Virus. Decrypt .xtbl Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

STF-a-princ@aol-com-ransomware-crypto-virus-xtbl-troldesh-shade-ransom-message-image

A_princ@aol.com is the name of this particular ransomware crypto-virus, because it uses that email address in its ransom message. Lots of viruses from the Troldesh/Shade ransomware family have been seen in the past couple of days. This virus will put a picture with instructions on your desktop once it finishes encrypting files. The ransomware will lock files, placing a long extension ending in .xtbl behind their original one. The virus does not give a set price for decryption but leaves a contact email only. To remove the ransomware and find out how you could restore your files, you should read the whole article.

UPDATE! Kaspersky malware researchers have released a Shade decryptor which can decode files encoded by the the Shade ransomware variants. Since this includes the .xtbl file extension, we have created instructions on how to decrypt your .xtbl files. The instructions can be found on the link below:
Decrypt Files Encrypted by Shade Ransowmare

Threat Summary

Namea_princ@aol.com
TypeRansomware, Crypto-Virus
Short DescriptionThe ransomware encrypts files with an extension ending in a_princ@aol.com.xtbl and leaves an email address as a contact for the supposed decryption of the files.
SymptomsThe ransomware will place a new picture on your desktop with instructions that point to an email address as a contact.
Distribution MethodSpam Emails, Email Attachments, Executable Files
Detection Tool See If Your System Has Been Affected by a_princ@aol.com

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss a_princ@aol.com.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

A_princ@aol.com Virus – Distribution Tactics

The a_princ@aol.com ransomware may have several distribution tactics. Targeted attacks and spam email campaigns are certainly among the main ones. Spam emails usually contain a short message stating that the whole part of it or something important is in the file attached to the letter. The attachment in question could seem ordinary, but if you open it, the file will release the payload for the ransomware and infect your computer. Be on high alert while browsing through emails which seem suspicious, especially if they have attachments or download links.

Social media sites and services for file-sharing are another possible way of distribution for the a_princ@aol.com virus. The script with the payload could be inside executables or batch files, presented as useful utilities on the above-mentioned networks. A good advice to follow so you might prevent ransomware infecting your PC is to avoid emails, files or links which seem suspicious or of unknown origins. Also, before opening any files, check the signatures and sizes of files and possibly scan them with security software. You can find more tips about preventing ransomware infections from the topic in our forum.

A_princ@aol.com Virus – Detailed Overview

The a_princ@aol.com virus belongs to the Shade/Troldesh family of ransomware. These viruses are widely known to encrypt files with a long extension containing the email they use for contact and putting the .xtbl extension at the end. That is why some researchers label this as a XTBL ransomware type.

This virus is named after the email that its maker has left as a contact – a_princ@aol.com.

The ransomware will place the following file and use it as a starting point for infecting your system:

%WINDIR%\System32\Payload.exe

The virus will then create an executable file and probably create a registry entry, so it makes it run with each start of Windows. Other files that the ransomware will create are a text file and a picture with the instructions. Those files will remain hidden until your files get locked. After that, the virus encrypts files found on your disk drives and on storage devices you have connected.

Whenever the encryption process is done, you will see that your desktop background will have a new wallpaper and a text file, too. Both will have the name How to decrypt your files. This is what the wallpaper looks like:

STF-a-princ@aol-com-ransomware-crypto-virus-xtbl-troldesh-shade-ransom-message-image

The text on that image reads:

Attention!!!
To restore information email technical support
send 3 encrypted files
a_princ@aol.com

The other one is a .txt file and its contents are the following:

STF-a-princ@aol-com-ransomware-crypto-virus-troldesh-shade-how-to-decrypt-your-files-txt-file

The a_princ@aol.com virus does not give a particular price for the decryption of your data. No deadline is provided either. The ransomware maker has put only one email for contact, and that is what distinguishes this variant of the ransomware from others in the security world.

Do NOT contact the a_princ@aol.com email trying to negotiate a price for paying the ransom. Even if you do that, you may not get your data back. Funding cyber criminals will only give them more money to aid them in their criminal activity. As a_princ@aol.com is a variant of the Shade/Troldesh ransomware family, there is a way you could try to recover your files. A decryptor tool made by Kaspersky exists, and you can check it from the instructions written under this article.

The a_princ@aol.com ransomware encrypts a lot of file types. The ransomware encrypts files that have these file extensions:

STF-a-princ@aol-com-ransomware-crypto-virus-troldesh-shade-encrypted-file-xtbl

→.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps

After all, files get encrypted, you will see that all files will have the following extension appended to them – .id-[eight digit number]-a_princ@aol.com.xtbl.

Next, the ransomware may send some the following data to a remote location:

  • Trojan ID
  • Compromised computer ID
  • Host name
  • Email address used by the Trojan
  • Number of encrypted document, archive, database, and image files
  • Total number of encrypted files

The A_princ@aol.com ransomware might delete the Shadow Volume Copies from the Windows Operating System. Read further to learn how you might decrypt your files.

Remove A_princ@aol.com Virus and Restore .xtbl Files

If your computer is infected with the a_princ@aol.com ransomware, you should have some experience with removing viruses. You should get rid of this ransomware as fast as you can before it can spread deeper in the network you use and infect more files. You should remove the ransomware and follow the step-by-step instructions manual provided below. To see how you might try to recover your files, check the step titled 3. Restore files encrypted by a_princ@aol.com.

Avatar

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...