MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

7.23.2010

SMS Ransomware porn template update

A new variant of ransomware type blocker that promotes pornographic sites is In-the-Wild, with the inner slightly modified. Basically you have changed the number to which the victim must send messages like SMS. Now the number is 86571252 and the message remains the same: 6005.

Another change is in the location which holds the copy of the threat. In this case, the path is C:\Documents and Settings\Default User\Media\ under the name run32.exe. The first image shows the previous version, while the second corresponds to the new variant of the SMS Ransomware.

The ransomware is distributed, as in previous cases, through porn sites. This variant uses the same name as cover (flash_player.exe), its MD5 is 2e8f56ce39270e10f7082a35d13a735a and as I write this update has a detection rate average, 12/42 being detected by antivirus engines.


Countermeasures
Identify and terminate the process called "run32.exe." At this time ransomware window disappears.
** The name of the process can also be process32.exe.

*** To kill the process you can use Task Manager or the native Windows application ProcessExplorer.

Delete the following system information
Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Module
Value:
AModule
"C:\Documents and Settings\Administrador\Media\run32.exe"
*** You can also use Autoruns application to view the record in an orderly manner.

Folders:
C:\Documents and Settings\Default User\Media

Files:
C:\Documents and Settings\All Users\Media\run32.exe
C:\Documents and Settings\All Users\Media\rdb.bat

Related information

New variant of ransomware through porn sites IV
New variant of ransomware through porn sites III
New variant of ransomware through porn sites  II
New variant of ransomware through porn sites
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild

0 comentarios:

Post a Comment