MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

6.20.2010

New variant of ransomware through porn sites III

Another variant is ransomawre In-the-Wild. Like previous variants, it spreads through porn sites. The case presented axporno.ru page uses a vector of propagation.

When infecting the computer displays a window that overlaps any other, and by showing the information needed to theoretically unlock the system.

When you try to close the image is displayed in a new window that provides information on how to eliminate it. The maneuver, as is usual in the latest generation of ransomware type blocker, is to encourage the user to send a text message SMS rate to a certain number (162772132) and certain information (3381).

Create files sc.ini and delself.bat, both housed in the System32 folder. The first stores information equivalent to the number of infection and route where the malware binary, while the second saves the information to remove some tracks.

sc.ini
600
C:\Documents and Settings\All Users\Media\module.exe


delself.bat

del C:\Documents and Settings\All Users\Media\module.exe
if exist C:\Documents and Settings\All Users\Media\module.exe goto try
del C:\WINDOWS\system32\sc.ini

del C:\WINDOWS\system32\delself.bat

The malware uses the service SmsCost (smscost.ru) to provide information on the cost of the SMS message.


In addition to promoting another page with sexually explicit material through which also spreads malware (amporno.ru).

Countermeasures
Remove the "module" process through task manager (Ctrl + Alt + Del).
Search and delete the following processes:
  • module.exe (MD5: 4D6C1F95ED90DDEE122FC749FCE1084E)
  • sc.ini (MD5: FEADA1AF5309D97A537D02DD6678E847)
  • delself.bat (MD5: E327DE8BC4BC1183CC9A60776717DA38)
Delete the folder hosted on Media C:\Documents and Settings\All Users\Media

Delete the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Module > c:\documents and settings\all users\media\module.exe

Install an updated antivirus security program and perform a deep scan mode.


Related information

Ver más