MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

3.05.2010

SMS Ransomware for Windows In-the-Wild

Within the criminal business of the malicious code, a variant of well-known are the strategies implemented by ransomware malware type, where the main objective is financial gain in exchange for the return of something maliciously "hijacked".

In this case, it's the operating system crash by a malware Russian origin. According to the nomenclature of antivirus companies, the same is detected under names alluding to Blocker (Comodo/Fortinet/Kaspersky), LooksLike (McAfee), LockScreen (ESET), Fraud (Avast), Winlock (DrWeb), Dunik! Rts ( Microsoft).

Malware pretends to be the executable to install Flash Player using a file called install_flash_player.exe (ff27289c8a5ac530ce876bc08fe45f1e).

However, to be executed, the operating system crashes through a window, which is expressed in the Russian language (a feature which indicates its orientation toward the Russian audience) the order to send a text message SMS to a particular type phone number to get the unlock key.

Generated in the folder %temp% the files asd [x].cbt (D6110298A4E241BE6E7031ADA220BACC) and asd[x].tmp (this is a MZ file) (5E9C2819DA8463278F0CFA3C1CCAFF70), where [x] is a random number, found under the nomenclature Ransom PogBlock by some AV companies. The latter is the binary that controls the pop-up blocking system.

The ransomware disables the Task Manager and blocks the ability to access the system in Safe Mode by generating a reboot loop through a BSoD.

This activity is under the framework of the business of criminal malware itself, which the malware author attempts through the cost benefit that requires the sending of SMS. A more within the criminal world of crimeware that even if it's addressed to the Russian public, constitutes a serious threat to any system.

Countermeasures
Restart in Safe Mode.
Delete the file asd[x].tmp alocated in %temp%.
Delete the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
c:\documents and settings\administrador\configuraciĆ³n local\temp\asd1.tmp
Maintain updated antivirus program.

The easiest part. Unblock with any of the following keys:

code:592100041 unlock:2002972524
code:592131650 unlock:3807350716
code:592108426 unlock:2111921530
code:592128602 unlock:838761711
code:592122374 unlock:4272582034
code:592100773 unlock:3071200006
code:592109181 unlock:2803729885
code:592109325 unlock:1494973728
code:592129826 unlock:3062337563
code:592105732 unlock:2478558886

Note: Should appear on your display a different number for those exposed, send an email to with the number disastersteam[at]malwareint[dot]com to receive the unlock key.

Related information
LockScreen. Your computer is infected by Spyware!!!

0 comentarios:

Post a Comment