MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

8.16.2010

New Russian SMS ransomware In-the-Wild

The development of malware designed to block access to the operating system is in full expansion. Despite being at present a very different generation of ransomware the first generations where, using cryptovirology, literally kidnapped by encrypting user files and requesting a financial compensation in exchange for the release key, the concept and goal has not changed.

In this case, it’s a new variant of SMS ransomware blocking access to the operating system screen showing an alleged safety report in which reference is an infection caused by a variant of trojan recruits zombie botnets for ZeuS is actually false.


The brief report is in Russian language with which it follows that the objectives of malware are the users of that country. However, the spread of the threat has no boundaries and no language limitations.

According to the text, to get a key to unlocking it's necessary to send a message such as SMS to 4161 with the message 2AV112239. This set of alphanumeric characters isn’t the only one who can show, as it has a list that is displayed at random. The list consists of the following springs:

2AV166522, 2AV288764, 2AV222419, 2AV288888, 2AV266555, 2AV119999, 2AV121436, 2AV178477, 2AV166522, 2AV111199, 2AV187211, 2AV133211, 2AV111223, 2AV243562, 2AV211246, 2AV244533, 2AV277631, 2AV233884, 2AV242665, 2AV233211, 2AV288599, 2AV299884, 2AV286442, 2AV248864, 2AV222464, 2AV288434, 2AV265543, 2AV211278, 2AV299977, 2AV165431, 2AV131313, 2AV132218, 2AV155543, 2AV166666, 2AV186443, 2AV155422, 2AV198775, 2AV144366, 2AV199797, 2AV197797, 2AV177979, 2AV166321, 2AV111229, 2AV155322, 2AV187532, 2AV112239, 2AV164554, 2AV134274, 2AV153221, 2AV311111, 2AV311112, 2AV311113, 2AV311114, 2AV311115, 2AV311116, 2AV311117, 2AV311118, 2AV311119, 2AV311120, 2AV311121, 2AV311123, 2AV311124, 2AV311125, 2AV311126, 2AV311127, 2AV311128, 2AV311129, 2AV311130, 2AV311131, 2AV311132, 2AV311133, 2AV311134, 2AV311135, 2AV311136, 2AV311137, 2AV311138, 2AV311139, 2AV311140, 2AV311141, 2AV311142, 2AV311143, 2AV311144, 2AV311145, 2AV311146, 2AV311147, 2AV311148, 2AV311149, 2AV311150, 2AV311151, 2AV311152, 2AV311153, 2AV311154, 2AV311155, 2AV311156, 2AV311157, 2AV311158, 2AV311159, 2AV311160, 2AV311161, 2AV311162, 2AV311163, 2AV311164, 2AV311165, 2AV311166, 2AV311167, 2AV311168, 2AV311169, 2AV311170, 2AV311171, 2AV311172, 2AV311173, 2AV311174, 2AV311175, 2AV311176, 2AV311177, 2AV311178, 2AV311179

The malware disables the possibility to access the system in Safe Mode and access the following programs:
  • TASKMGR.EXE
  • REGEDT32.EXE
  • MSCONFIG.EXE
  • EXPLORER.EXE
  • TEXPL.EXE
  • ANVIR.EXE
Countermeasure
Unlock using the following key:
  • Environ
Click the first button and press the Enter key.
Restart the system.
Delete the registry key from ctfmon.exe.


Run an updated antivirus.

Related information
New variant of ransomware through porn sites IV
New variant of ransomware through porn sites III
New variant of ransomware through porn sites  II
New variant of ransomware through porn sites
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild

0 comentarios:

Post a Comment