MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

3.13.2010

Dangerous trojans, keyloggers and Spyware detected in you computer!!!

This is a new variant of ransomware that is In-the-Wild with, so far, a poor detection rate, the report from VirusTotal. Only 9 of 42 detected by antivirus engines.

It's a technique used by some scareware aggressive to try to "compel" the victims to "buy" the alleged antivirus solution is, in fact, the scareware.

In this case, the malware is hidden under a file called avlck.exe (md5: 04cb597a4ffddfbae9a76cde53833ab7). When run blocking access to the system screen showing the image above position which is expressed in an alleged problem of infection.

In that instance the malware connects to the site


Make a copy of itself into the Windows System folder under the name myserv.exe, and a reference in the registry Run key.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KeyMy c:\windows\myserv.exe 

Countermeasures

Restart in Safe Mode and delete the file myserv.exe found in the Windows folder.
Delete the reference KeyMy (c:\windows\myserv.exe) located in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Unlock the system to any of the following keys:

PozisyonAyarla
HerZamanUstte

Related information
SMS Ransomware for Windows In-the-Wild
LockScreen. Your computer is infected by Spyware!!!

Ver más

3.08.2010

myLoader. Base C&C to manage Oficla/Sasfis Botnet

myLoader a particular purpose Framework developed to manage the activities of a botnet. The data reflected in this report were collected based on the study of the criminal activities of a botnet containing a quantity of more than 210,000 zombies zombies.

We describe the potential threat of this crime through the breakdown of the modules comprising the package that allows the management of the botnet ophicleide / Sasfis. Also presents some information that helps explain his behavior both in propagation strategy as in the processes of infection and prevention to help counteract their actions.

Spanish | English | Author: Jorge Mieres | Malware Intelligence | 2010, March

Ver más

3.05.2010

Another very active SMS Ransomware

Ransomware activities originating with Russia don't stop. Constantly looking for committing fraudulent business feeding the information located in the system.

In this case, it's another ransomware that is In-the-Wild, and its detection rate is very low.

When the malicious binary is executed, it causes an alleged error in IE.

Just create a plain text file called xFoLOOOSErs.txt with the following information:

installed
19793214

And creates a registry key.

The number stored in this file corresponds to the telephone number the user must send an SMS to unlock the system. However, this is not the only number that uses the cyber criminal, and that also can display the following:

1971482
19777877
197852
197971412

Furthermore, the number of activation may vary between:

5370
5373
7250

Technical data:
MD5: 0cc435c5bfe3444ce7151f8f2a319728
SHA1: 9c00c70b220da9b59fc9be55d37d7a1f94abb2e0
File size: 71168 bytes
Packer: -

Countermeasures
For any telephone numbers used by this variant of ransomware and above can use any of the following codes:

0000000
1973143

Maintain updated antivirus program.

Related information

Ver más

SMS Ransomware for Windows In-the-Wild

Within the criminal business of the malicious code, a variant of well-known are the strategies implemented by ransomware malware type, where the main objective is financial gain in exchange for the return of something maliciously "hijacked".

In this case, it's the operating system crash by a malware Russian origin. According to the nomenclature of antivirus companies, the same is detected under names alluding to Blocker (Comodo/Fortinet/Kaspersky), LooksLike (McAfee), LockScreen (ESET), Fraud (Avast), Winlock (DrWeb), Dunik! Rts ( Microsoft).

Malware pretends to be the executable to install Flash Player using a file called install_flash_player.exe (ff27289c8a5ac530ce876bc08fe45f1e).

However, to be executed, the operating system crashes through a window, which is expressed in the Russian language (a feature which indicates its orientation toward the Russian audience) the order to send a text message SMS to a particular type phone number to get the unlock key.

Generated in the folder %temp% the files asd [x].cbt (D6110298A4E241BE6E7031ADA220BACC) and asd[x].tmp (this is a MZ file) (5E9C2819DA8463278F0CFA3C1CCAFF70), where [x] is a random number, found under the nomenclature Ransom PogBlock by some AV companies. The latter is the binary that controls the pop-up blocking system.

The ransomware disables the Task Manager and blocks the ability to access the system in Safe Mode by generating a reboot loop through a BSoD.

This activity is under the framework of the business of criminal malware itself, which the malware author attempts through the cost benefit that requires the sending of SMS. A more within the criminal world of crimeware that even if it's addressed to the Russian public, constitutes a serious threat to any system.

Countermeasures
Restart in Safe Mode.
Delete the file asd[x].tmp alocated in %temp%.
Delete the following registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
c:\documents and settings\administrador\configuración local\temp\asd1.tmp
Maintain updated antivirus program.

The easiest part. Unblock with any of the following keys:

code:592100041 unlock:2002972524
code:592131650 unlock:3807350716
code:592108426 unlock:2111921530
code:592128602 unlock:838761711
code:592122374 unlock:4272582034
code:592100773 unlock:3071200006
code:592109181 unlock:2803729885
code:592109325 unlock:1494973728
code:592129826 unlock:3062337563
code:592105732 unlock:2478558886

Note: Should appear on your display a different number for those exposed, send an email to with the number disastersteam[at]malwareint[dot]com to receive the unlock key.

Related information
LockScreen. Your computer is infected by Spyware!!!

Ver más