2010年8月17日 星期二

FW: Newsbank :: New Russian SMS ransomware In-the-Wild


-------------------------------------------
寄件者: Max Goncharov (AV-EMEA)
傳送日期: Tuesday, August 17, 2010 3:41:24 PM
收件者: Newsbank
主旨: Newsbank :: New Russian SMS ransomware In-the-Wild
自動依照規則轉寄


http://malwaredisasters.blogspot.com/

 

The development of malware designed to block access to the operating system is in full expansion. Despite being at present a very different generation of ransomware the first generations where, using cryptovirology, literally kidnapped by encrypting user files and requesting a financial compensation in exchange for the release key, the concept and goal has not changed.

 

In this case, it's a new variant of SMS ransomware blocking access to the operating system screen showing an alleged safety report in which reference is an infection caused by a variant of trojan recruits zombie botnets for ZeuS is actually false.

 

 

The brief report is in Russian language with which it follows that the objectives of malware are the users of that country. However, the spread of the threat has no boundaries and no language limitations.

 

According to the text, to get a key to unlocking it's necessary to send a message such as SMS to 4161 with the message 2AV112239. This set of alphanumeric characters isn't the only one who can show, as it has a list that is displayed at random. The list consists of the following springs:

 

2AV166522, 2AV288764, 2AV222419, 2AV288888, 2AV266555, 2AV119999, 2AV121436, 2AV178477, 2AV166522, 2AV111199, 2AV187211, 2AV133211, 2AV111223, 2AV243562, 2AV211246, 2AV244533, 2AV277631, 2AV233884, 2AV242665, 2AV233211, 2AV288599, 2AV299884, 2AV286442, 2AV248864, 2AV222464, 2AV288434, 2AV265543, 2AV211278, 2AV299977, 2AV165431, 2AV131313, 2AV132218, 2AV155543, 2AV166666, 2AV186443, 2AV155422, 2AV198775, 2AV144366, 2AV199797, 2AV197797, 2AV177979, 2AV166321, 2AV111229, 2AV155322, 2AV187532, 2AV112239, 2AV164554, 2AV134274, 2AV153221, 2AV311111, 2AV311112, 2AV311113, 2AV311114, 2AV311115, 2AV311116, 2AV311117, 2AV311118, 2AV311119, 2AV311120, 2AV311121, 2AV311123, 2AV311124, 2AV311125, 2AV311126, 2AV311127, 2AV311128, 2AV311129, 2AV311130, 2AV311131, 2AV311132, 2AV311133, 2AV311134, 2AV311135, 2AV311136, 2AV311137, 2AV311138, 2AV311139, 2AV311140, 2AV311141, 2AV311142, 2AV311143, 2AV311144, 2AV311145, 2AV311146, 2AV311147, 2AV311148, 2AV311149, 2AV311150, 2AV311151, 2AV311152, 2AV311153, 2AV311154, 2AV311155, 2AV311156, 2AV311157, 2AV311158, 2AV311159, 2AV311160, 2AV311161, 2AV311162, 2AV311163, 2AV311164, 2AV311165, 2AV311166, 2AV311167, 2AV311168, 2AV311169, 2AV311170, 2AV311171, 2AV311172, 2AV311173, 2AV311174, 2AV311175, 2AV311176, 2AV311177, 2AV311178, 2AV311179

 

The malware disables the possibility to access the system in Safe Mode and access the following programs:

 

    * TASKMGR.EXE

    * REGEDT32.EXE

    * MSCONFIG.EXE

    * EXPLORER.EXE

    * TEXPL.EXE

    * ANVIR.EXE

 

Countermeasure

Unlock using the following key:

 

    * Environ

 

Click the first button and press the Enter key.

Restart the system.

Delete the registry key from ctfmon.exe.

 

 

Run an updated antivirus.

 

 

 

Max Goncharov |  Максим Гончаров | マックス ゴンチャロフ | Senior Threat Researcher

Zeppelinstrasse 1, 85399 Hallbergmoos, Deutschland

Office : +49.811.88990.851 | Fax: +49.811.88990.851 |  Mobile : +49.174.988.6417

 

 

沒有留言: