MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

4.25.2010

Copyright violation: copyrighted content detected

New ransomaware In-the-Wild that under the excuse of being issued by an alleged entity that protects copyrights, tries to obtain money by deception strategy that seeks to "negotiate" with the victim to pay a fine.

At the time of executing its payload, operating system crashes showing a window as shown below, in which "warned" of the alleged violation of the copyright in the computer to detect copyright material.

The information presented on the screen can be displayed in ten languages: English, Czech, Danish, Dutch, French, German, Italian, Portuguese, Slovak and Spanish. This feature shows the professional looking for the attackers because every translation is well done, which is achieved by outsourcing translation work.

On occasion wallpaper set as the following image:


Furthermore, to ensure a good level of credibility, the strategy uses the legal aspect of the present as set forth in the Copyright Law of the European Union, and displays information from the headquarters of the agency who understands this type of conflict, depending on country is the victim.


For geo-location information, the malware establishes a connection from IP address 91.209.238.2 found in Moldova, Republic Of Eugenia E. Groza reporting IP address, and then do a whois to establish the country of origin of the victim.

> 91.209.238.2/m5tools/ip.php
                        > 91.209.238.2/m5tools/whois.php


Countermeasures
Press the Ctrl + Alt + Del to bring up task manager.
End process "iqmanager.exe"
Delete the folder IQmanager that is located in C:\Documents and Settings\Administrator\Application Data
Delete the Desktop icon

Enter the code below: RFHM2-TPX47-YD6RT-H4KDM


Related information
New variant of ransomware through porn sites
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild
Desktop Hijack by Internet Security 2010. Your System Is Infected!
LockScreen. Your computer is infected by Spyware!!!

Ver más

4.20.2010

New variant of ransomware through porn sites

The targets of this ransomware are the visitors to pornographic sites. In this case it's a type ransom "Blocker" that when activated displays a little message, and in the lower right corner of the screen, an image with pornographic content.

Here is an example:





Calls on sending an SMS message like the number 3862816 with the text  8353 in order to unlock the opening of this picture, besides eliminating the automatic opening of pornhub.com porn site (146.82.200.125).


The malware, which MD5 is db836ddad526869bc750b62fbe36e936 has a low level of detection: 6/40 (15.00%)

Countermeasures
Delete the following processes:
  • plugin.exe
  • watcher.exe

Delete the folder hosted on Media C:\Documents and Settings\All Users\Media

Delete the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Module > c:\documents and settings\all users\media\plugin.exe

Related information

Ver más