Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43434
  • Total Topics: 16528
  • Online today: 3056
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 3
Guests: 2945
Total: 2948









Author Topic: Trojan Locks Computers, Demands Ransom for Bogus ‘Offense’  (Read 8363 times)

0 Members and 2 Guests are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Trojan Locks Computers, Demands Ransom for Bogus ‘Offense’

A new  “ransomware” campaign uses a novel approach to extort money from Internet users. It locks your computer and displays a localized webpage that covers your desktop and demands the payment of a fine for the possession of banned material.

The following system changes may indicate the presence of this malware:
<startup folder>\<random file name>.dll.lnk

<startup folder>\<random file name>.dll

Lock.dll


The Trojan  creates the following registry changes:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: “DisableTaskMgr“
With data: “1“


HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: “NoProtectedModeBanner“
With data: “1“


HKCU\Software\Microsoft\Internet Explorer\Toolbar
Sets value: “Locked“
With data: “1“


HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Sets value: “1609“
With data: “0“


HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: “1609“
With data: “0“

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: “1609“
With data: “0“


HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: “1609“
With data: “0“


HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: “1609“
With data: “0“


We’ve seen images such as these:


Larger picture


Larger picture


Larger picture

When the ransomware runs, some variants of this malware family copy themselves to your computer.

%ALLUSERSPROFILE%\Application Data\<random filename>.<dll>

Some variants create the following shortcut file in the Windows start-up folder to ensure the Trojan loads every time you log on:

<startup folder>\runctf.lnk


Larger picture

Some variants may also drop a copy of rundll32.exe in the “%USERPROFILE%\application data” directory. This file launches the Trojan.

In some older variants, the Trojan creates a shortcut file of this type:

“<random file name>.dll.lnk“.

As part of its payload, this Trojan displays a full-screen webpage that covers all other windows, rendering the computer unusable. The image is a fake warning pretending to be from a legitimate institution that demands the payment of a fine. Paying the “fine” will not necessarily return your computer to a usable state, so we don’t advise you do so.

This Trojan can download and run customized DLL payloads:

 • Lock.dll, which the Trojan injects into browser process of Internet Explorer, Chrome, and Opera to display the fraudulent message:


Larger picture

This Trojan uses a variety of legitimate payment and financial transfer services, including:

 • Green Dot MoneyPak
 • Paysafecard
 • Ukash
McAfee products detect these malware binaries as Ransom-AAY.gen.b.



Orginal article: Wednesday, December 19, 2012 at 12:39pm by Naganathan Jawahar
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info


devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
Re: Trojan Locks Computers, Demands Ransom for Bogus ‘Offense’
« Reply #1 on: 20. January 2013., 01:50:39 »
Although not mentioned, this (for me unknown) tool should be able to clean this kind of mess up.

VERY curious if anyone has any experiences...?

FROM: http://scforum.info/index.php/topic,785.msg19886.html#msg19886

Smitfraudfix (Download English and French versions ) - This tool removes Desktop Hijack malware, created by S!Ri, here: http://siri.geekstogo.com/SmitfraudFix.php .


Peace!

Devvie



~~~ notemail@facebook.com ~~~
 
Cuisvis hominis est errare, nullius nisi insipientis in errore persevare
——
All spelling mistakes are my own and may only be distributed under the GNU General Public License! – (© 95-1 by Coredump; 2-013 by DevNullius)
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
Re: Trojan Locks Computers, Demands Ransom for Bogus ‘Offense’
« Reply #2 on: 20. January 2013., 12:34:35 »
Our lucky day...

This morning a friend of mine arrived with his infected Windows 7 x86 computer.

Surprised to see a Windows 7 computer being hijacked, I started to investigate. He wanted a format - I never format. So on we went ; )

Symptons: when user logs on, a screen appears mentioning your computer is locked, you have 48hours to pay, or else the police will lock you completely down (the "FBI virus" as I like to call it ; ).

Ctrl Alt Del Taskmanager fails: the ransomware kills it. Ctrl Esc for Start does not work either. All is locked (48 hours had passed). Help? Neh...

Log off, log on and AVG (yes, another infected AVG computer - I HATE AVG) intercepted something. Police warning (in Dutch) was gone too. Still I downloaded SmitFraudFix and rebooted into safe mode.

I let the program scan. Logs are very limited and thus confusing. I think it did not actually find something, besides itself. Not sure though, I let it do its cleaning.

Reboot in normal mode. Only an error: AppData\Local\Temp\wlsidten.dll not found. Good :>

I downloaded Cleanup! by Gould, let it do the ground work and reduce scanning times greatly.

Then: AVG Removal tool ++ download Combofix.

Remove AVG (removal tools here: http://scforum.info/index.php/topic,7957.0.html).

Go to Safe Mode and start Combofix. A warning AVG still is active, re-running the removal tool gave no difference. I cursed AVG once more, ignored the warning and let Combofix do its magic.

Results?
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Nieuw herstelpunt werd aangemaakt (== new restoration point)
.
.
((((((((((((((((((((((((((((((((((   Andere Verwijderingen   )))))))))))))))))))))))))))))))))))))))))))))))))
.(== removals)
.
c:\programdata\netdislw.pad
c:\users\ekkid\AppData\Roaming\GetValue.vbs
c:\users\ekkid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk
c:\windows\system32\tmp.reg

Reboot once more, and enjoy a fresh clean Windows :) Including writing this article 45 minutes of work. Format that ;p

Next I'll install Avast Home and remove Internet Explorer for this friend, and he should be good after some extra scripts, browserprotect.org, Winpatrol (not a good program, but no free alternatives and I've got a family license - I prefer AnVir as THE startup manager - given away for free once in a while) and the latest updates he is all good to go ;p


Karma!

Devvie


~~~ notemail@facebook.com ~~~
 
Cuisvis hominis est errare, nullius nisi insipientis in errore persevare
——
All spelling mistakes are my own and may only be distributed under the GNU General Public License! – (© 95-1 by Coredump; 2-013 by DevNullius)
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Trojan Locks Computers, Demands Ransom for Bogus ‘Offense’
« Reply #3 on: 20. January 2013., 19:38:40 »
Nice done D., your friend is really lucky. :thumbsup:

Pez

  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Re: Trojan Locks Computers, Demands Ransom for Bogus ‘Offense’
« Reply #4 on: 20. January 2013., 20:31:34 »
I hope my article helped you some way. ;)
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info

Re: Trojan Locks Computers, Demands Ransom for Bogus ‘Offense’
« Reply #4 on: 20. January 2013., 20:31:34 »

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
Re: Trojan Locks Computers, Demands Ransom for Bogus ‘Offense’
« Reply #5 on: 20. January 2013., 23:39:49 »
I hope my article helped you some way. ;)

Eh - sure? ; ) Keep them coming?

Karma!

devnullius
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
I again had the (Dutch: politie) FBI virus. Computer completely locked out, nothing I could do.

So I went for Kaspersky Rescue Disc 10 (https://support.kaspersky.com/viruses/rescuedisk). I updated it with latest definitions and let it scan in the most aggressive way possible. It found 1 bad .js file - all the rest were 'false' alarms (old pst archives etc).

After the reboot: STILL infected! :(

SO...

I went to (blergh) AVG Rescue CD (http://www.avg.com/nl-nl/avg-rescue-cd-download). Again, updated, most aggressive, etc.

THIS scan found many java files, all apparently infected. I left my friends after 20% scanning.

The day after they reported all was well again. They first ran combofix (to ease my mind) and are now installing Avast (after a mad rumble of mine on NOT to ignore AV warnings about yearly activation;p).

Karma,

devnullius
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Nice done D., your friend is really lucky. :thumbsup:


Confirmed again. :thumbsup:


By the way, I'm little bit surprised that AVG resolved this instead of Kaspersky.  ???

 

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info

By the way, I'm little bit surprised that AVG resolved this instead of Kaspersky.  ???

 

A little surprised...?




I was SHOCKED - especially for I really do NOT like AVG! BUT fair is fair... Offline boot scan beats Kaspersky (which, btw, keeps crashing on my Win 7 system... Avast, avast, avast - I keep telling everyone :>)

Karma,

Devnullius
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023