Topic: Trojan Locks Computers, Demands Ransom for Bogus ‘Offense’

[Pez]

Trojan Locks Computers, Demands Ransom for Bogus ‘Offense’

A new  “ransomware” campaign uses a novel approach to extort money from Internet users. It locks your computer and displays a localized webpage that covers your desktop and demands the payment of a fine for the possession of banned material.

The following system changes may indicate the presence of this malware:
<startup folder>\<random file name>.dll.lnk

<startup folder>\<random file name>.dll

Lock.dll

The Trojan  creates the following registry changes:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: “DisableTaskMgr“
With data: “1“

HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: “NoProtectedModeBanner“
With data: “1“

HKCU\Software\Microsoft\Internet Explorer\Toolbar
Sets value: “Locked“
With data: “1“

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Sets value: “1609“
With data: “0“

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
Sets value: “1609“
With data: “0“
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Sets value: “1609“
With data: “0“

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Sets value: “1609“
With data: “0“

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
Sets value: “1609“
With data: “0“

We’ve seen images such as these:


Larger picture


Larger picture


Larger picture

When the ransomware runs, some variants of this malware family copy themselves to your computer.

%ALLUSERSPROFILE%\Application Data\<random filename>.<dll>

Some variants create the following shortcut file in the Windows start-up folder to ensure the Trojan loads every time you log on:

<startup folder>\runctf.lnk


Larger picture

Some variants may also drop a copy of rundll32.exe in the “%USERPROFILE%\application data” directory. This file launches the Trojan.

In some older variants, the Trojan creates a shortcut file of this type:

“<random file name>.dll.lnk“.

As part of its payload, this Trojan displays a full-screen webpage that covers all other windows, rendering the computer unusable. The image is a fake warning pretending to be from a legitimate institution that demands the payment of a fine. Paying the “fine” will not necessarily return your computer to a usable state, so we don’t advise you do so.

This Trojan can download and run customized DLL payloads:

 • Lock.dll, which the Trojan injects into browser process of Internet Explorer, Chrome, and Opera to display the fraudulent message:


Larger picture

This Trojan uses a variety of legitimate payment and financial transfer services, including:

 • Green Dot MoneyPak
 • Paysafecard
 • Ukash
McAfee products detect these malware binaries as Ransom-AAY.gen.b.



Orginal article: Wednesday, December 19, 2012 at 12:39pm by Naganathan Jawahar

[devnullius]

Although not mentioned, this (for me unknown) tool should be able to clean this kind of mess up.

VERY curious if anyone has any experiences...?

FROM: http://scforum.info/index.php/topic,785.msg19886.html#msg19886

Smitfraudfix (Download English and French versions ) - This tool removes Desktop Hijack malware, created by S!Ri, here: http://siri.geekstogo.com/SmitfraudFix.php .


Peace!

Devvie



~~~ notemail@facebook.com ~~~
 
Cuisvis hominis est errare, nullius nisi insipientis in errore persevare
——
All spelling mistakes are my own and may only be distributed under the GNU General Public License! – (© 95-1 by Coredump; 2-013 by DevNullius)

[devnullius]

Our lucky day...

This morning a friend of mine arrived with his infected Windows 7 x86 computer.

Surprised to see a Windows 7 computer being hijacked, I started to investigate. He wanted a format - I never format. So on we went ; )

Symptons: when user logs on, a screen appears mentioning your computer is locked, you have 48hours to pay, or else the police will lock you completely down (the "FBI virus" as I like to call it ; ).

Ctrl Alt Del Taskmanager fails: the ransomware kills it. Ctrl Esc for Start does not work either. All is locked (48 hours had passed). Help? Neh...

Log off, log on and AVG (yes, another infected AVG computer - I HATE AVG) intercepted something. Police warning (in Dutch) was gone too. Still I downloaded SmitFraudFix and rebooted into safe mode.

I let the program scan. Logs are very limited and thus confusing. I think it did not actually find something, besides itself. Not sure though, I let it do its cleaning.

Reboot in normal mode. Only an error: AppData\Local\Temp\wlsidten.dll not found. Good :>

I downloaded Cleanup! by Gould, let it do the ground work and reduce scanning times greatly.

Then: AVG Removal tool ++ download Combofix.

Remove AVG (removal tools here: http://scforum.info/index.php/topic,7957.0.html).

Go to Safe Mode and start Combofix. A warning AVG still is active, re-running the removal tool gave no difference. I cursed AVG once more, ignored the warning and let Combofix do its magic.

Results?
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Nieuw herstelpunt werd aangemaakt (== new restoration point)
.
.
((((((((((((((((((((((((((((((((((   Andere Verwijderingen   )))))))))))))))))))))))))))))))))))))))))))))))))
.(== removals)
.
c:\programdata\netdislw.pad
c:\users\ekkid\AppData\Roaming\GetValue.vbs
c:\users\ekkid\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk
c:\windows\system32\tmp.reg

Reboot once more, and enjoy a fresh clean Windows :) Including writing this article 45 minutes of work. Format that ;p

Next I'll install Avast Home and remove Internet Explorer for this friend, and he should be good after some extra scripts, browserprotect.org, Winpatrol (not a good program, but no free alternatives and I've got a family license - I prefer AnVir as THE startup manager - given away for free once in a while) and the latest updates he is all good to go ;p


Karma!

Devvie


~~~ notemail@facebook.com ~~~
 
Cuisvis hominis est errare, nullius nisi insipientis in errore persevare
——
All spelling mistakes are my own and may only be distributed under the GNU General Public License! – (© 95-1 by Coredump; 2-013 by DevNullius)

[Samker]

Nice done D., your friend is really lucky.

[Pez]

I hope my article helped you some way.

[devnullius]

I hope my article helped you some way.

Eh - sure? ; ) Keep them coming?

Karma!

devnullius

[devnullius]

I again had the (Dutch: politie) FBI virus. Computer completely locked out, nothing I could do.

So I went for Kaspersky Rescue Disc 10 (https://support.kaspersky.com/viruses/rescuedisk). I updated it with latest definitions and let it scan in the most aggressive way possible. It found 1 bad .js file - all the rest were 'false' alarms (old pst archives etc).

After the reboot: STILL infected!

SO...

I went to (blergh) AVG Rescue CD (http://www.avg.com/nl-nl/avg-rescue-cd-download). Again, updated, most aggressive, etc.

THIS scan found many java files, all apparently infected. I left my friends after 20% scanning.

The day after they reported all was well again. They first ran combofix (to ease my mind) and are now installing Avast (after a mad rumble of mine on NOT to ignore AV warnings about yearly activation;p).

Karma,

devnullius

[Samker]

Nice done D., your friend is really lucky.

Confirmed again.


By the way, I'm little bit surprised that AVG resolved this instead of Kaspersky. 

 

[devnullius]

By the way, I'm little bit surprised that AVG resolved this instead of Kaspersky. 

 

A little surprised...?




I was SHOCKED - especially for I really do NOT like AVG! BUT fair is fair... Offline boot scan beats Kaspersky (which, btw, keeps crashing on my Win 7 system... Avast, avast, avast - I keep telling everyone :>)

Karma,

Devnullius