MalwareDisasters is a division of MalwareIntelligence. In the same test information is captured about the behavior of malicious code, and also offering the necessary countermeasures to mitigate the malicious actions in question.

7.23.2010

SMS Ransomware porn template update

A new variant of ransomware type blocker that promotes pornographic sites is In-the-Wild, with the inner slightly modified. Basically you have changed the number to which the victim must send messages like SMS. Now the number is 86571252 and the message remains the same: 6005.

Another change is in the location which holds the copy of the threat. In this case, the path is C:\Documents and Settings\Default User\Media\ under the name run32.exe. The first image shows the previous version, while the second corresponds to the new variant of the SMS Ransomware.

The ransomware is distributed, as in previous cases, through porn sites. This variant uses the same name as cover (flash_player.exe), its MD5 is 2e8f56ce39270e10f7082a35d13a735a and as I write this update has a detection rate average, 12/42 being detected by antivirus engines.


Countermeasures
Identify and terminate the process called "run32.exe." At this time ransomware window disappears.
** The name of the process can also be process32.exe.

*** To kill the process you can use Task Manager or the native Windows application ProcessExplorer.

Delete the following system information
Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Module
Value:
AModule
"C:\Documents and Settings\Administrador\Media\run32.exe"
*** You can also use Autoruns application to view the record in an orderly manner.

Folders:
C:\Documents and Settings\Default User\Media

Files:
C:\Documents and Settings\All Users\Media\run32.exe
C:\Documents and Settings\All Users\Media\rdb.bat

Related information

New variant of ransomware through porn sites IV
New variant of ransomware through porn sites III
New variant of ransomware through porn sites  II
New variant of ransomware through porn sites
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild

Ver más

7.18.2010

New variant of ransomware through porn sites IV

Another variant of the family ransomware of type blocker is In-the-Wild, using as cover for attacks to be the Flash Player installer via an executable file called flash_player.exe and whose MD5 is acf591ac5ad2a26bf348708dda174b33.

This time is also related to a porn site that opens immediately after infecting the system. However, unlike past versions, the window does not display an image block with conditional connotation. 

As we see in the image, just simply presents the user requirements towards obtaining the necessary password to allow, in theory, to unlock the appearance of the annoying window, but does not occupy the whole desktop (also very common case in ransomware), the window stays malicious in the lower right of this, superimposed on any other window.

In this case the user should send a short text message SMS to 86577491 with message 6005.

When the binary is executed through a simple sentence written in BAT, tells the malicious application that copies itself to C:\Documents and Settings\All Users\Media under the name kasper_zaebal.exe, add a reference in Run registry key and adds information security area.

Parallel open a browser session by redirecting traffic to the porn site that resolves www.redtube.eu IP address 216.155.139.158 (AS20473 - CHOOPA), classified as malware server and C&C of some botnets.

Countermeasures
Enter the following code: 29543874

If you want to try a more "traditional" follow the steps below:

Identify and terminate the process called "kasper_zaebal.exe." At this time ransomware window disappears.

To kill the process you can use Task Manager or the native Windows application ProcessExplorer.

Delete the following system information

Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Module
Value:
AModule
“%ALLUSERSPROFILE%\Media\kasper_zaebal.exe”

You can also use Autoruns application to view the record in an orderly manner.

Folders:
C:\Documents and Settings\All Users\Media

Files:
C:\Documents and Settings\All Users\Media\kasper_zaebal.exe
C:\Documents and Settings\All Users\Media\rdb.ba

Related information
New variant of ransomware through porn sites III
New variant of ransomware through porn sites  II
New variant of ransomware through porn sites
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild

Ver más