Recently, One of my friends email account got hacked and using his email Id lot of mails with malware links were sent to people in his address book. I too received a mail from his account and when I examined the mail it contained the below link,
hxxp://www.raby-f.fr/AFFIN/live-in-troncais/modules/Search/myhome.html
When I clicked on the link it redirected me to a page where it started scanning my system.
I downloaded the file and started analyzing using Olldbg. After traversing few call's I found it creating a mutex “I’m here”. Generally mutex are created to make sure only one instance of the program is running on the system.
Creates a RunOnce entry to survive the reboot. So that whenever infected system is rebooted, the rogue program runs automatically.
Using taskkill.exe it kills the running vclean.exe process. Pings Loopback address 127.0.0.1 to check whether the network configurations are working fine. Then it gets self deleted and spawns up pkgib.exe
CommandLine = "\"C:\\WINDOWS\\system32\\cmd.exe\" /c taskkill /f /pid 1684 & ping -n 3 127.1 & del /f /q \"C:\\Doc\\Admin\\Des\\vclean.exe\" & start C:\\DOC\\ADMIN\\LOC\\APP\\pkgib.exe -f"
Once the pkgib.exe is executed it displays the below shown alert message,
It won’t allow you to work on the infected system whenever you try to access something, it shows annoying pop-ups like Warning! Threats found…Activate Security Shield..Also, it won’t allow any executable to run.
Once you click on “activate Secuirty Shield”. it takes you to a fake payment gateway where it prompts you to enter all your Credit card related information.
and restart your system. Now you can proceed with your normal work.
Thanks sir, for all this information. Would you mind if I share this info in my blog. Pls reply to this comment.
ReplyDelete@Biswas - Of course you can share this. This blog is mainly for exchanging information among people.
ReplyDelete