New variant of ransomware through porn sites III
Another variant is ransomawre In-the-Wild. Like previous variants, it spreads through porn sites. The case presented axporno.ru page uses a vector of propagation.
When infecting the computer displays a window that overlaps any other, and by showing the information needed to theoretically unlock the system.
When infecting the computer displays a window that overlaps any other, and by showing the information needed to theoretically unlock the system.
When you try to close the image is displayed in a new window that provides information on how to eliminate it. The maneuver, as is usual in the latest generation of ransomware type blocker, is to encourage the user to send a text message SMS rate to a certain number (162772132) and certain information (3381).
Create files sc.ini and delself.bat, both housed in the System32 folder. The first stores information equivalent to the number of infection and route where the malware binary, while the second saves the information to remove some tracks.
sc.ini
600
C:\Documents and Settings\All Users\Media\module.exe
delself.bat
…
del C:\Documents and Settings\All Users\Media\module.exe
if exist C:\Documents and Settings\All Users\Media\module.exe goto try
del C:\WINDOWS\system32\sc.ini
del C:\WINDOWS\system32\delself.bat
The malware uses the service SmsCost (smscost.ru) to provide information on the cost of the SMS message.
In addition to promoting another page with sexually explicit material through which also spreads malware (amporno.ru).
Countermeasures
Remove the "module" process through task manager (Ctrl + Alt + Del).
Search and delete the following processes:
- module.exe (MD5: 4D6C1F95ED90DDEE122FC749FCE1084E)
- sc.ini (MD5: FEADA1AF5309D97A537D02DD6678E847)
- delself.bat (MD5: E327DE8BC4BC1183CC9A60776717DA38)
Delete the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Module > c:\documents and settings\all users\media\module.exe
Install an updated antivirus security program and perform a deep scan mode.
Related information
1 comentarios:
Buenisimo el post.Hay que andar con cuidado por la Web, como siempre y mas que nunca.Abrazo!
Post a Comment