Ransom Trojan

Ransom is a trojan which once installed locks the system from user and demands payment to unlock it. 

Here I have analysed a ransom file xxx_video.exe using OllyDbg,

This ransom creates a mutex with name "BFFF5675-ADC0-4740-81FF-7540597A0DC5" to show its presence in the infected system.

Enumerates the running process and checks for explorer.exe. If found it kills explorer.exe in the infected system so that user cannot access the windows shell or any files.

Creates a copy of the file in the location All Users\Application Data

Modifies the winlogon shell registry key so that on booting the system this Trojan will be loaded at first, 

Checks whether taskmgr.exe is running in memory and if not found it creates a copy of xxx_video.exe in system32 and dllcache location with name taskmgr.exe probably replacing the existing taskmgr.

Likewise it modifies the userinit.exe file in the system32 and dllcache location,

Below you can see the Ransom Trojan installed. It locks up the screen asking you to enter the unlock code (which you will receive once you send an SMS to an premium mobile number)

Recovery: Manual recovery is not so easy for this kind of Trojan since it kills user shell and also it modifies task manager. So, possibility of loading explorer back is minimal. Restarting the system will load the Trojan ony since it has modified the default explorer.exe in the winlogon shell registry key. Have an updated AV in your system and stay protected. 

Fake Antivirus – Security Shield

Recently, One of my friends email account got hacked and using his email Id lot of mails with malware links were sent to people in his address book. I too received a mail from his account and when I examined the mail it contained the below link,

hxxp://www.raby-f.fr/AFFIN/live-in-troncais/modules/Search/myhome.html

When I clicked on the link it redirected me to a page where it started scanning my system.

Initially it was like scanning my system. After checking the above link I found it containing a java script to display fake scan message with the help of Gif files.

When I clicked on the fake scan it asked me to download a file with name vclean.exe and run it.

I downloaded the file and started analyzing using Olldbg. After traversing few call's I found it creating a mutex “I’m here”. Generally mutex are created to make sure only one instance of the program is running on the system.

It creates a file pkgib.exe (random file name) in the local settings\Application Data folder.

Creates a RunOnce entry to survive the reboot. So that whenever infected system is rebooted, the rogue program runs automatically.

Using taskkill.exe it kills the running vclean.exe process. Pings Loopback address 127.0.0.1 to check whether the network configurations are working fine. Then it gets self deleted and spawns up pkgib.exe

CommandLine = "\"C:\\WINDOWS\\system32\\cmd.exe\" /c taskkill /f /pid 1684 & ping -n 3 127.1 & del /f /q \"C:\\Doc\\Admin\\Des\\vclean.exe\" & start C:\\DOC\\ADMIN\\LOC\\APP\\pkgib.exe -f"

Once the pkgib.exe is executed it displays the below shown alert message,

Once you click on the “OK” button a new window opens up with the title “Security Shield” and it starts scanning your system and displays fake scan results. It says your system is infected and several threats have been identified by the application.

It won’t allow you to work on the infected system whenever you try to access something, it shows annoying pop-ups like Warning! Threats found…Activate Security Shield..Also, it won’t allow any executable to run.

Once you click on “activate Secuirty Shield”. it takes you to a fake payment gateway where it prompts you to enter all your Credit card related information.

Then it sends all those collected information to the remote hacker.

Recovery: To recover from this rogue antivirus I request you to restart your system in safe mode. Select Run and type local settings\Application Data and delete the file with random file name or with this icon

and restart your system. Now you can proceed with your normal work.