New variant of ransomware through porn sites IV

This summary is not available. Please click here to view the post.

Ver más

New variant of ransomware through porn sites III

Another variant is ransomawre In-the-Wild. Like previous variants, it spreads through porn sites. The case presented axporno.ru page uses a vector of propagation.

When infecting the computer displays a window that overlaps any other, and by showing the information needed to theoretically unlock the system.

When you try to close the image is displayed in a new window that provides information on how to eliminate it. The maneuver, as is usual in the latest generation of ransomware type blocker, is to encourage the user to send a text message SMS rate to a certain number (162772132) and certain information (3381).

Create files sc.ini and delself.bat, both housed in the System32 folder. The first stores information equivalent to the number of infection and route where the malware binary, while the second saves the information to remove some tracks.

sc.ini
600
C:\Documents and Settings\All Users\Media\module.exe

delself.bat
…
del C:\Documents and Settings\All Users\Media\module.exe
if exist C:\Documents and Settings\All Users\Media\module.exe goto try
del C:\WINDOWS\system32\sc.ini
del C:\WINDOWS\system32\delself.bat

The malware uses the service SmsCost (smscost.ru) to provide information on the cost of the SMS message.

In addition to promoting another page with sexually explicit material through which also spreads malware (amporno.ru).

Countermeasures
Remove the "module" process through task manager (Ctrl + Alt + Del).
Search and delete the following processes:

• module.exe (MD5: 4D6C1F95ED90DDEE122FC749FCE1084E)
• sc.ini (MD5: FEADA1AF5309D97A537D02DD6678E847)
• delself.bat (MD5: E327DE8BC4BC1183CC9A60776717DA38)

Delete the folder hosted on Media C:\Documents and Settings\All Users\Media

Delete the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Module > c:\documents and settings\all users\media\module.exe

Install an updated antivirus security program and perform a deep scan mode.


Related information

New variant of ransomware through porn sites II

New variant of ransomware through porn sites

Another very active SMS Ransomware

SMS Ransomware for Windows In-the-Wild 

Ver más

New variant of ransomware through porn sites II

A new variant of this malware is In-the-Wild. It spreads through pornographic websites. When the user clicks on any of the images that presents the page to view the video course, an alert box warns about the need to install the Flash Player 10 application and offers the download of executable called flash_player.exe course (f26c45393af03e80a40ea06aafb01c63).

Like the case previously presented in this blog, this is a ransomware that displays a window with pornographic content.

As usual in this type of malicious code in order to eliminate the annoying image, requests to send a text message SMS rate (3381) to a specific phone number (84234321)

In addition, constantly opening a website with pornographic content is also hosted at IP address 77.247.179.176

Countermeasures
Delete the following processes:

• plugin.exe
• watcher.exe

Delete the folder hosted on Media C:\Documents and Settings\All Users\Media

Delete the following registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Module > c:\documents and settings\all users\media\plugin.exe

Or unlock with the following code: 19282736

Related information
Copyright violation: copyrighted content detected

New variant of ransomware through porn sites

Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild
Desktop Hijack by Internet Security 2010. Your System Is Infected!
LockScreen. Your computer is infected by Spyware!!!

Ver más

Copyright violation: copyrighted content detected

New ransomaware In-the-Wild that under the excuse of being issued by an alleged entity that protects copyrights, tries to obtain money by deception strategy that seeks to "negotiate" with the victim to pay a fine.

At the time of executing its payload, operating system crashes showing a window as shown below, in which "warned" of the alleged violation of the copyright in the computer to detect copyright material.

The information presented on the screen can be displayed in ten languages: English, Czech, Danish, Dutch, French, German, Italian, Portuguese, Slovak and Spanish. This feature shows the professional looking for the attackers because every translation is well done, which is achieved by outsourcing translation work.

On occasion wallpaper set as the following image:

Furthermore, to ensure a good level of credibility, the strategy uses the legal aspect of the present as set forth in the Copyright Law of the European Union, and displays information from the headquarters of the agency who understands this type of conflict, depending on country is the victim.

For geo-location information, the malware establishes a connection from IP address 91.209.238.2 found in Moldova, Republic Of Eugenia E. Groza reporting IP address, and then do a whois to establish the country of origin of the victim.

> 91.209.238.2/m5tools/ip.php
                        > 91.209.238.2/m5tools/whois.php

Countermeasures
Press the Ctrl + Alt + Del to bring up task manager.
End process "iqmanager.exe"
Delete the folder IQmanager that is located in C:\Documents and Settings\Administrator\Application Data
Delete the Desktop icon

Enter the code below: RFHM2-TPX47-YD6RT-H4KDM


Related information
New variant of ransomware through porn sites
Dangerous trojans, keyloggers and Spyware detected in you computer!!!
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild
Desktop Hijack by Internet Security 2010. Your System Is Infected!
LockScreen. Your computer is infected by Spyware!!!

Ver más

New variant of ransomware through porn sites

This summary is not available. Please click here to view the post.

Ver más