MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

7.18.2010

New variant of ransomware through porn sites IV

Another variant of the family ransomware of type blocker is In-the-Wild, using as cover for attacks to be the Flash Player installer via an executable file called flash_player.exe and whose MD5 is acf591ac5ad2a26bf348708dda174b33.

This time is also related to a porn site that opens immediately after infecting the system. However, unlike past versions, the window does not display an image block with conditional connotation. 

As we see in the image, just simply presents the user requirements towards obtaining the necessary password to allow, in theory, to unlock the appearance of the annoying window, but does not occupy the whole desktop (also very common case in ransomware), the window stays malicious in the lower right of this, superimposed on any other window.

In this case the user should send a short text message SMS to 86577491 with message 6005.

When the binary is executed through a simple sentence written in BAT, tells the malicious application that copies itself to C:\Documents and Settings\All Users\Media under the name kasper_zaebal.exe, add a reference in Run registry key and adds information security area.

Parallel open a browser session by redirecting traffic to the porn site that resolves www.redtube.eu IP address 216.155.139.158 (AS20473 - CHOOPA), classified as malware server and C&C of some botnets.

Countermeasures
Enter the following code: 29543874

If you want to try a more "traditional" follow the steps below:

Identify and terminate the process called "kasper_zaebal.exe." At this time ransomware window disappears.

To kill the process you can use Task Manager or the native Windows application ProcessExplorer.

Delete the following system information

Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Module
Value:
AModule
“%ALLUSERSPROFILE%\Media\kasper_zaebal.exe”

You can also use Autoruns application to view the record in an orderly manner.

Folders:
C:\Documents and Settings\All Users\Media

Files:
C:\Documents and Settings\All Users\Media\kasper_zaebal.exe
C:\Documents and Settings\All Users\Media\rdb.ba

Related information
New variant of ransomware through porn sites III
New variant of ransomware through porn sites  II
New variant of ransomware through porn sites
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild

0 comentarios:

Post a Comment