Solution for Archiveus ransom virus

A virus that locks users out from the files in their My Documents folder has been cracked.

The Archiveus virus (or more accurately a Trojan ) merges all the files in the My Documents folder into one big password protected file. The original files are then deleted and a text document is created with instructions for recovering the files.

Rather than demand money to return the files the instructions demand that the user goes to an online pharmacy and make an order.

To return the files the user must double click on a file called Demo.als, which will prompt for a password. The password is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw

Alternatively the following password works if the EncryptedFiles.als is run instead. The password for this is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw .

The instructions for removal from the security company Sophos warn users not to delete the virus files before entering the password and recovering the files.
Despite claims by the virus that it has encrypted the files, they are merely joined together. For most users the effect is much the same though and the files are inaccessible.

Security site Lurhq claims that the password was actually present in the program file so it was not difficult to find even with "beginner-level reverse-engineering".

One of the email addresses used by the virus is a Yahoo address. We have contacted Yahoo to ask if it is looking into this matter.

Archiveus is not the first virus to try and extort money from users.