Published:
May 14 2009, 04:01 AM
by
Zarestel Ferrer
In the past months we have received several notable samples of ransomware, a particular type of malware, and we have described these threats below.
Win32/RansomFix
In March 2009 we received Win32/RansomFix.A, distributed to encrypt mainly document and media files. On opening an encrypted file on the infected machine, the user is informed that the file is corrupted and is offered the option to repair it.
[Figure 1 – Message informing document is corrupted]
If the user clicks the Repair File button, the malware launches the web browser and directs it to the accomplice website shown in Figure 2. For $49.95, the unsuspecting user can purchase software to fix the files tagged by Win32/RansomFix.A as “corrupted document files”; the user has no way of knowing that this is a scam. In this scenario the encrypted files were the hostage and the user pays the ransom by buying FileFix PRO 2009; we detect this malware as Win32/FileFixPro2009.A.
[Figure 2 – Web page of the FileFix PRO 2009 program]
[Figure 3 – Graphical User Interface of FileFix PRO 2009]
The Win32/FakeAlert and Win32/FakeAV malware families employ similar techniques by pressuring users to buy rogue security software. Win32/FakeAlert shows deceptive popup warnings and alert messages and then directs the browser to the affiliate website that is hosting Win32/FakeAV. Figure 4 below shows the system popups used in this scam.
[Figure 4 – System Popups and Alerts]
If you have been a victim of this malware and your files (documents) are tagged as “corrupted” you will need to decrypt them before they can be reopened. We have created a tool especially for this purpose and you can download it here.
* To download the fixtool, right click the link and choose the "Save Target As..." option.
Win32/RansomSMS
Win32/RansomSMS is a malware family that locks the system and asks the user to send an SMS to a particular number in order to receive unlock codes.
[Figure 5 – RandomSMS GUI]
English Translation:
WINDOWS IS LOCKED
In order to unlock, send an SMS
to the number 3649
with the following text k2600620004
submit the receiving code to the input box.
*Any other operations aside from activation will lose your information and damage the system.
[Figure 6 – RandomSMS GUI]
English Translation:
Windows is locked
In order to unlock, you must send an SMS with the following text
41112548187
to the number
3649
Submit the received code to the input box.
If you try to reinstall the system you will loose important information and it will damage the system.
[Figure 7 – RandomSMS GUI]
English Translation:
Send SMS with the following text: old<Space character>serzh to the number: 4161
(Price is 10 ruble. Without NDS)! The received code=second
word within the received SMS-Enter the received word into the text box
Win32/Mousenap
This malware usually takes control of the mouse cursor making it impossible to click on any window in the system. Like Win32/RansomSMS, this malware also asks the user to send an SMS to the indicated numbers [Figure 8].
[Figure 8 – Win32/Mousenap GUI and removal instructions]
English Translation:
Thank you for watching a gay porno on gays*xsms-ru
In order to disable all the informers on your computer
send SMS with the code “accqeri” to following number:
3649-Russia, 5014 – Ukraine, 1171 – Ukraine Life : )
As an answer You will receive a SMS, the first word will be a keyword in order to disable the Gay-informer
Enter the keyword __________________ Disable
The SMS price for Ukrainian users is 25 Ukrainian grivna, for Russian users from 30 to 300 Russian ruble
Win32/Mousenap.A Manual Recovery
Fortunately the malware does not control the keyboard, however it does terminate TASKMGR.EXE. Use the instructions below to open a console window and type the commands required to manually remove this malware.
1. Press Windows logo + R to execute the Run dialog box
2. Type CMD.EXE,
3. Press Enter
4. Type tasklist
5. Press Enter
6. Locate the malware's process ID (Please see Figure 8 for an example)
7. Type taskkill /F /PID <Process ID> /T
8. Press Enter
Recommendation
This ransomwares can be prevented by keeping your CA Security Product signatures updated and performing regular system backups.
* Many thanks to Arkady Kovtun for the Russian to English translations.