Expandmenu Shrunk

  • Tag Archives new malware
  • Spoofed FedEx and USPS Kovter and Locky sites Ransomeware Malware Keeps Spreading

    www.ccrepairservices.com
    Locky Ransomeware New CPRS CCRS Computer Repair Miami Fort Lauderdale Website

    Following on from these  [ FEDEX ] [ USPS ]  posts describing the Spoofed FedEx and USPS ( and other delivery services from time to time) I will endeavour to keep up to date with a list of current sites involved in the spreading of this malware. I will also show the command used that day to obtain the malware. I will add each days new sites to the lists, but please remember that old sites are reused daily until taken down by their hosts.  All the sites used in this malware spreading campaign are hacked / compromised sites.

     

    The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file ( counter.js by searching on your computer, that is run directly from temp internet files ) Counter.js then downloads  a different variant of counter.js which in turn downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site delivering counter.js to actually download from itself, normally that downloads from a different site on the list. All the files ( apart from the original counter.js) pretend to be png ( image files). They are actually all renamed .exe files or a renamed php script listing the files to be encrypted. Counter.js contains the list of sites to download from, which includes many of the sites listed in the original WSF, JS, VBS or other scripting file and normally one or 2 extra ones. to get the second counter.js you need to change the &r=01 at the end of the url to &m=01 ( or 02-05). This second counter.js contains additional sites to download from which frequently includes sites from the previous days lists that are not already included in the WSF or first counter.js.

    I only accidentally  found out about the second /3rd /4th /5th  counter.js when I made a mistake in manually decoding the original wsf file ( and the original counter.js) and mistyped/ miscopied  the &r= and used &m= instead. Obviously it is a belt and braces approach to making sure the actual malware gets downloaded to a victim’s computer when urls or sites are known about and blocked by an antivirus or web filter service.

    25 December 2016:  ( Payload Security report  )

    3spension.com
    minebleue.com
    chaitanyaimpex.org
    break-first.com
    grancaffe.net
    www.meizumalaysia.com
    dreamoutloudcenter.org
    megrelis-avocat.com

    /counter/?a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&m=9488599&i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ

    /counter/?i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ&a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&r=01

    27 December2016:  ( Payload Security report  )

    lacasadeicuochi.it
    boardedhallgreen.com
    www.memoodgetactive.det.nsw.edu.au
    rebecook.fr
    peachaid.com
    kidsgalaxy.fr
    baltasmenulis.lt
    artss.org

    /counter/?a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&m=3254807&i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7  

    /counter/?i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7&a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&r=01

    28 December 2016:  ( Payload Security report  )

    thanepoliceschool.com
    chimie.iset-liege.be
    partnersforcleanstreams.org

    /counter/?a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&m=8429816&i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE

    /counter/?i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE&a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&r=01

    29 December 2016:  ( payload Security report)

    cobycaresfoundation.org
    dev.zodia-q.com
    shark1.idhost.kz
    italysfinestdesign.it
    salutgaudi.com
    zodia-q.com

    /counter/?a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&m=2365622&i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA

    /counter/?i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA&a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&r=01

    2nd version today ( Payload Security Report )

    /counter/?=&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo&a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&r=01

    /counter/?a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&m=4831333&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo

    31 December 2016: ( Payload Security Report)

    www.iblasoni.com
    aventurarealestatedirectory.com
    www.apogeoform.net
    oytunidil.com
    ocentsinus.com
    sonja.ostrovanka.cz
    instalaciondeairesplit.com

    /counter/?a=1J9cj5Z7UvwkR9Tp1qywXBq994MFZ6dCLn&i=Y5p7yaa6RhRlPVwtx_0twhfOcSziOus6gsFi-6WQ9cGftnod2TtjVWJvU-_2nroNgi-lT8j6sF6rzL02lqFLiuQ20RDPqOBkTCSmGjp6NQ
    /counter/?i=Y5p7yaa6RhRlPVwtx_0twhfOcSziOus6gsFi-6WQ9cGftnod2TtjVWJvU-_2nroNgi-lT8j6sF6rzL02lqFLiuQ20RDPqOBkTCSmGjp6NQ&a=1J9cj5Z7UvwkR9Tp1qywXBq994MFZ6dCLn&r=01

    31 December 2016: update 2 ( Payload Security)

    spiritdoula.net
    www.yabaojiuhe.com
    windycrestrental.com
    maggieellisbusinessconsulting.com
    pn-group.com
    inflation.us

    /counter/?a=16ehyeR9Nhrtgk4z2BrKZVJcKTFYe9Z1Ap&i=Y5r71qa6RhRlpLdvFNp4Tyf0O3puCoDDA0TLPwt-ZnjyqdV140NpvPnVGT2KeqxNu7AHi0Gk1WT6yYGkb0YxpcGpOaMzrto7
    /counter/?i=Y5r71qa6RhRlpLdvFNp4Tyf0O3puCoDDA0TLPwt-ZnjyqdV140NpvPnVGT2KeqxNu7AHi0Gk1WT6yYGkb0YxpcGpOaMzrto7&a=16ehyeR9Nhrtgk4z2BrKZVJcKTFYe9Z1Ap&r=0


  • New KillDisk wiper varient threatens industrial control networks with Ransomware Trojan

    The TeleBots gang, which recently attacked Ukrainian banks with KillDisk malware that used Mr. Robot imagery (pictured), may now be targeting industrial control systems with a ransomware variant.

    The TeleBots gang, which recently attacked Ukrainian banks with KillDisk malware that used Mr. Robot imagery (pictured), may now be targeting industrial control systems with a ransomware variant.

    The KillDisk disk-wiper program that was used in conjunction with BlackEnergy malware to attack Ukrainian energy utilities has evolved into ransomware that may be targeting industrial-control networks.

    According to researchers at CyberX, the new variant was developed by the TeleBots cybergang, which recently emerged from the Sandworm threat group that is believed to have disrupted the Ukrainian power grid offline in December 2015 and January 2016, and allegedly compromised U.S. industrial-control systems and SCADA systems in 2014. Earlier this year, ESET researchers reported that TeleBots was a using different version of KillDisk to conduct cybersabotage attacks against the Ukrainian financial sector.

    In a blog post on Tuesday, CyberX reported that the ransomware variant is distributed via malicious Office attachments and displays a pop-up message demanding 222 Bitcoins, which is currently the equivalent of approximately $206,000. The variant’s exorbitant ransom and its link to Sandworm suggests that the group could be actively launching ransomware attacks against industrial-control networks.

    KillDisk uses a mix of RSA 1028 public key and AES shared key algorithms to encrypt local hard-drives and network-mapped folders that are shared across organizations, CyberX further reported.


  • Malicious Ads on Yahoo, AOL, Match.com, Trigger CryptoWall Infections

    cryptowall

    Attackers have been leveraging the FlashPack Exploit Kit to peddle the CryptoWall 2.0 ransomware on unsuspecting visitors to sites such as Yahoo, The Atlantic and AOL. Researchers believe that for about a month the malvertising campaign hit up to 3 million visitors and netted the attackers $25,000 daily.

    According to experts at Proofpoint, a firm that primarily specializes in email security, the exploit kit targeted a vulnerability in Adobe Flash via users’ browsers to install the ransomware on users’ machines.

    Malvertising is an attack that happens when attackers embed malicious code – in this case code that led to the latest iteration of CryptoWall – into otherwise legitimate ads to spread malware via drive-by downloads. Users can often be infected without even clicking on anything.

    CryptoWall, which takes users’ files, encrypts them with rigid RSA-2048 encryption, then asks for a fee to decrypt them, made a killing earlier this summer. In August it was reported that the ransomware made more than $1.1 million for its creators in just six months.

    Similar to Critoni/Onion, a ransomware dug up in July, CryptoWall 2.0 downloads a TOR client on the victim’s machine, connects to a command and control server and demands users send Bitcoin – $500 worth – to decrypt their files. Since the campaign lasted about a month, from Sept. 18 to this past Saturday, researchers are estimating that 40 of the campaign’s Bitcoin addresses collected at least 65 BTC each, a number that roughly translates to $25,000 a day.

    cryptowall1

    Proofpoint claims that high ranking sites such as AOL, The Atlantic, Match.com and several Yahoo subdomains such as their Sports, Fantasy Sports and Finance sites, were spotted serving up the tainted ads. Other sites lesser known in the U.S. such as Australia’s Sydney Morning Herald, The Age, and the Brisbane Times, were reportedly also doling out the ads.

    While the campaign started a month ago the firm claims things didn’t start to ramp up until recently.

    “After crossing a threshold level, it became possible to associate the disparate instances with a single campaign impacting numerous, high-traffic sites,” Wayne Huang, the company’s VP of Engineering, said of the campaign.

    The firm claims it worked quickly to notify those involved in the campaign, including the ad providers, and as of this week, believes the situation has been nullified.

    Last month researchers with Barracuda Labs found a CryptoWall variant with certificate signed by Comodo being distributed through ads on a handful of different websites. None of those sites were nearly as trafficked as those spotted by this most recent campaign however. The Alexa rankings for Yahoo (4), AOL (37), Match (203), and The Atlantic (386) place them within the top 500 of the internet’s most popular sites, something that likely upped the campaign’s exposure level.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • New file-encrypting ransomware called CryptoGraphic Locker

    A new file-encrypting ransomware was discovered today by BartBlaze called CryptoGraphic Locker. Just like other encrypting ransomware, this infection will scan your your data files and encrypt them so that they are unusable. The infection will then display a ransom note that requires you to purchase the decryption key in order to decrypt your files. The initial cost to purchase the key is .2 BTC, or approximately $100 USD, which makes this one of the cheaper ransoms that we have seen in a long time. Though the ransom starts out small, there is a 24 hour timer built into the application that will increase the ransom amount each time it hits 0.

    Computer Virus Removal in Fort Lauderdale
    Cryptographic Locker

    When you are infected with CryptoGraphic Locker, the application will configure itself to start when you login to Windows. It will then scan your drives for data files and create new encrypted copies using AES encryption and then delete the old ones. These new files will be renamed to have the extension .clf. A list of all encrypted files will be stored in the %Temp%\CryptoLockerFileList.txt file. The data files that CryptoGraphic Locker targets are:

    .odt,.ods,.odp,.odm,.odc,.odb,.doc,.docx,.docm,.wps,.xls,.xlsx,.xlsm,.xlsb,.xlk,.ppt,.pptx,.pptm,.mdb,.accdb,.pst,.dwg,.dxf,.dxg,.wpd,.rtf,.wb2,.mdf,.dbf,.psd,.pdd,.pdf,.eps,.ai,.indd,.cdr,.dng,.3fr,.arw,.srf,.sr2,.mp3,.bay,.crw,.cr2,.dcr,.kdc,.erf,.mef,.mrw,.nef,.nrw,.orf,.raf,.raw,.rwl,.rw2,.r3d,.ptx,.pef,.srw,.x3f,.lnk,.der,.cer,.crt,.pem,.pfx,.p12,.p7b,.p7c,.jpg,.png,.jfif,.jpeg,.gif,.bmp,.exif,.txt

    When the infection has finished encrypting your data it will display a ransom screen that explains how you can pay the ransom and decrypt your files. Unlike other file-encrypting ransomware that have been released lately, instead of using a decryption site, the malware application itself allows you to make payments, receive your decryption keys, enter your key to decrypt files, etc. While the infection is running it will also terminate the following applications if they are started or are running: Process Hacker, MalwareBytes, Spyhunter, Msconfig, Task Manager, Registry Editor, System Restore, or Process Explorer.

    Last, but not least, the infection will also change your Windows desktop background to the background below. Suprisingly, it uses the CryptoLocker name in the wallpaper instead of the CryptoGraphic Locker name that it uses in the application window.

    wallpaper.jpg

    At this time the Command & Control servers are down, so there is no way to pay the ransom. There is, though, some good news for those who are infected. This ransomware does not delete files using a secure deletion method and does not wipe your system restore points. Therefore you can use a file recovery tool to undelete your files or a program like Shadow Explorer to restore your files from Shadow Volume Copies. Information on how to restore your files from Shadow Volume Copies can be found in the CryptoLocker guide.

    Thanks to BartBlaze, Decrypterfixer, and Cody Johnston for providing info on this malware.

    File additions and registry changes are:

    %Temp%\CryptoLockerFileList.txt
    %Temp%\wallpaper.jpg
    <Path to Dropper>\<random.exe
    
    HKCU\Control Panel\Desktop\Wallpaper	"C:\Users\User\AppData\Local\Temp\wallpaper.jpg"(old value="")
    HKCU\Control Panel\Desktop\WallpaperStyle	"1"(old value="10")
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CLock
    
    

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida
    

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable


  • Rise in Anti-Child Porn Spam Protection Ransomware infections

    This ransomware pretends to be from a legitimate government organization that states that the infected computer is sending out SPAM that contains links to child pornography sites. The ransom program then states that in order protect yourself, and others, it has encrypted your data using Advanced Encryption Standards, or AES, encryption. Just like the Malware Protection and the ACCDFISA Protection Program variants, these files are not actually encrypted but are password protected RAR files.

    sl.png

    ScreenLocker window for ACCDFISA v2.0, There are actually a few different versions of this. ACCDFISA v2.0 HTML file, These can be worded slightly different, and can have different emails to message the virus creator.

    There seems to be either a leak of the ACCDFISA v2.0 source, or the creator is mixing up the layout of Ransom Note, Screen Locker, and even the internal code. So far I have found 3 different version of ACCDFISA v2.0 with different contact emails, Ransom Notes, Code, and what is worse is even the method of delivery. The previous ACCDFISA v2.0 mostly only affected servers with RDP enabled with weak security. But the last 2 victims I have been messaging had neither a server or RDP enabled, and claimed to have gotten it either by email or a malicious or hacked site. This makes this older modified infection another top placer for worst encrypting infections because the key is unrecoverable, Restore Points are wiped, the computer is locked down, services are mangled, free space and deleted files are wiped with SDelete, and of course files are encrypted with WinRar SFX AES exe’s.

    For informational purposes, the 2 virus creator emails I have found with these variants are brhelpinfo@gmail.com and Dextreme88@gmail.com.

    When first run, this program will scan your computer for data files and convert them to password protected RAR .exe files. These password protected data files will be named in a format similar to test.txt(!! to decrypt email id <id> to <Email>@gmail.com !!).exe. It will then use Sysinternal’s SDelete to delete the original files in such a way that they cannot be undeleted using file recovery tools. It will also set a Windows Registry Run entry to start c:\<Random Number>\svchost.exe when your computer starts. This program is launched immediately when you logon and blocks access to your Windows environment. If you boot your computer using SafeMode, Windows Recovery disk, or another offline recovery CD, you can delete or rename the c:\<Random Number>\svchost.exe file in order to regain access to your Windows Desktop. This “lockout” screen will also prompt you to send the hackers the ransom in order to get a passcode for the system lockout screen and for your password protected files.

    This variant took 3 hours to completely finish on my VM. I was able to access the key file, and decrypt nearly all files and back them up before shutdown. So if you are lucky enough to see this happening, you should immediately backup the key file on the desktop / in the ProgramData folder.

    Sadly, just like the past variants, files cannot be decrypted either without the key, or a backup. If you are reading this infection free I have one question, Have you backed up today?. If not, you better get to it as these types of computer infections are on the rise and definitely here to stay!

    The files that this infection creates when it is installed are:

    File List:

    c:\<Random>\svchost.exe – ScreenLocker / Decrypter

    c:\<Random>\howtodecryptaesfiles.htm – RansomNote that all RansomNotes lnk’s point to

    c:\ProgramData\fdst<Random>\lsassw86s.exe Encrypter / Main dropper

    c:\ProgramData\<Random>\<Random>.dll – Different Numbers and Hashes used by the infection / Also where Temp Key is kept, But removed after completion

    c:\ProgramData\<Random>\<Random>.DLLS List of files to be infected by WinRar

    c:\ProgramData\<Random>\svchost.exe – WinRar CUI renamed

    c:\ProgramData\<Random>\svchost.exe – Sdelete Renamed

    c:\ProgramData\svcfnmainstvestvs\stppthmainfv.dll List of Numbers used by the infection

    c:\ProgramData\svtstcrs\stppthmainfv.dll List of Numbers used by the infection

    c:\Windows\System32\backgrounds2.bmp Renamed ScreenLocker / Decrypter, Used to replace the one in ProgramData if deleted

    c:\Windows\System32\lsassw86s.exe Renamed Encrypter / Main dropper, Used to replace the one in ProgramData if deleted

    c:\Windows\System32\scsvserv.exe Used to complete mangle / disable services to further lock down computer

    c:\Windows\System32\lsassvrtdbks.exe Assists with encryption

    c:\Windows\System32\session455.txt Temp Storage used with .BAT file to logoff user account

    c:\Windows\System32\decryptaesfiles.html Used to copy to ProgramData

    c:\Windows\System32\Sdelete.dll Used to copy Sdelete to ProgramData

    c:\Windows\System32\kblockdll.dll Used to Lock desktop

    c:\Windows\System32\btlogoffusrsmtv.bat Used to log user off

    c:\Windows\System32\default2.sfx Used with winrar to encrypt files

    c:\Windows\System32\cfwin32.dll WinRar CUI renamed

    %Desktop%\<Random>.Txt – Also contains Decrypt Key, But removed after completion

    Registry List:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\<Random>\svchost.exe – Launches ScreenLocker

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\<Random>\svchost.exe – Launches ScreenLocker

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\ProgramData\<Random>\svchost.exe – Launches ScreenLocker

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • Zeus Trojan (or Zbot Trojan) steals confidential information from the infected computer.

    Pandemiya hacking trojan

    A new and relatively rare Zeus Trojan program was found which is totally different from other banking Trojans and has capability to secretly steal data from forms, login credentials and files from the victim as well as can create fake web pages and take screenshots of victim’s computer.

    Researchers at RSA Security’s FraudAction team have discovered this new and critical threat, dubbed as ‘Pandemiya’, which is being offered to the cyber criminals in underground forums as an alternative to the infamous Zeus Trojan and its many variants, that is widely used by most of the cyber-criminals for years to steal banking information from consumers and companies.

     

    The source code of the Zeus banking Trojan is available on the underground forums from past few years, which lead malware developers to design more sophisticated variants of Zeus Trojan such as Citadel, Ice IX and Gameover Zeus.

     

    But, Pandemiya is something by far the most isolated and dangerous piece of malware as the author spent a year in writing the code for Pandemiya, which includes 25,000 lines of original code written in C.
    Like other commercial Trojan, Pandemiya infect the machines through exploit kits and via drive-by download attacks to boost infection rate that exploit flaws in the vulnerable software such as Java, Silverlight and Flash within few seconds victim lands on the web page.

    Pandemiya’s coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc.,” researchers from RSA, the security division of EMC, said Tuesday in a blog post. “Through our research, we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C.

    Pandemiya Trojan using Windows CreateProcess API to inject itself into every new process that is initiated, including Explorer.exe and re-injects itself when needed. Pandemiya is being sold for as much as $2,000 USD and provides all the nasty features including encrypted communication with command and control servers in an effort to evade detection.The Trojan has been designed with modular architecture to load more external plug-ins, which allows hackers to add extra features simply by writing new DLL (dynamic link library). The extra plug-ins easily add capabilities to the Trojan’s core functionality, that’s why the developer charge an extra of $500 USD to get the core application as well as its plugins, which allows cybercriminals to open reverse proxies on infected computers, to steal FTP credentials and to infect executable files in order to inject the malware at start up.

     

    The advent of a freshly coded new trojan malware application is not too common in the underground,” Marcus writes, adding that the modular approach in Pandemiya could make it “more pervasive in the near future.

    The malware developers are also working on other new features to add reverse Remote Desktop Protocol connections and a Facebook attack module in order to spread the Trojan through hijacked Facebook accounts.

    HOW TO REMOVE PANDEMIYA TROJAN

    The Trojan can be easily removed with a little modification in the registry and command line action, as explained below:

      1. Locate the registry key HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run and identify the *.EXE filename in your user’s ‘Application Data’ folder. Note the name, and delete the registry value.
      2. Locate the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls. Find the value with the same name as the *.EXE file in the previous step. Note the file name, and remove the value from the registry.
      3. Reboot the system. At this stage Pandemiya is installed but no longer running. Delete both files noted earlier. This will remove the last traces of the Trojan. Your system is now clean.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • Cryptowall Ransomware Spreading on the internet rapidly through advertisements

    Cryptowall Lock Malware spyware spreading
    Cryptowall Lock Malware

     

    Ransomware is an emerging threat in the evolution of cybercriminals techniques to part you from your money. Typically, the malicious software either lock victim’s computer system or encrypt the documents and files on it, in order to extort money from the victims.

    Though earlier we saw the samples of Ransomware tended to be simple with dogged determinations to extort money from victims. But with the exponential rise in the samples of Ransomware malwares, the recent ones are more subtle in design, including Cryptolocker, Icepole, PrisonLocker, CryptoDefense and its variants.

    Now, the ransomware dubbed as Cryptowall, a latest variant of the infamous ransomware Cryptolocker is targeting users by forcing them to download the malicious software by through advertising on the high profile domains belonging to Disney, Facebook, The Guardian newspaper and others.

    Cryptolocker is designed by the same malware developer who created the sophisticated CryptoDefense (Trojan.Cryptodefense) ransomware, appeared in the end of March, that holds the victims’ computer files hostage by wrapping them with strong RSA 2048 encryption until the victim pays a ransom fee to get them decrypted.

    But unfortunately, the malware author failed to realize that he left the decryption keys left concealed on the user’s computer in a file folder with application data.

    So, to overcome this, the developer created Cryptowall ransomware and alike the latest versions of CryptoDefense, the infected system’s files and documents encrypted by CryptoWall are impossible to decrypt.

    The story broke, when researchers at Cisco revealed that cybercriminals have started targeting people with RIG Exploit Kits (EK) to distribute malicious Cryptowall ransomware malware.

    The Rig Exploit Kit was first spotted by Kahu Security in April, which checks for an unpatched version of Flash, Internet Explorer, Java or the Silverlight multimedia program on the infected users and if found, the system is instantly exploited by the bad actors.

    Researchers at Cisco have noticed high levels of traffic consistent with the new “RIG” exploit kit, thereby blocking requests to over 90 domains. On further investigation, the company observed that many of its Cloud Web Security (CWS) users were visiting on those malicious domains after clicking advertisements on high-profile domains such as “apps.facebook.com,” “awkwardfamilyphotos.com,” “theguardian.co.uk” and “go.com,” and many others.

    cryptowall ransomware If clicked, the advertisements redirect victims to one of those malicious domains in order to malvertise users and once the system get infected with the RIG Exploit Kit, it will deliver the payload which includes the Cryptowall Ransomware malware.

    Now, when this CryptoWall is installed in the infected system, it will start scanning the system Hard Drive for data files and encrypt them.

    After encrypting the files on victim’s system, it will create files containing ransom instructions in every folder it had encrypted, demanding up to $500 USD. The service where users are instructed to pay the ransom amount is a hidden service that uses the Command-and-Control server hosted on TOR .onion domain.

    The largest share of infections, some 42 percent, are in the United States, followed by England and Australia, but it believes that several groups and bad actors are involved in this attack chain.

    IF INFECTED Visit Our Main Site OR call 754-234-5598

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Cryptowall Lock Malware
    Greased Lightbox

    +↻↻↻↻

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable


  • First Android Phone Ransomware that Encrypts your SD card Files

    We have seen cybercriminals targeting PCs with Ransomware malware that encrypts your files or lock down your computer and ask for a ransom amount to be paid in a specified duration of time to unlock it.
    To deliver the Ransomware malwares to the mobile devices, cyber criminals have already started creating malicious software programs for android devices. Last month, we reported about a new Police Ransomware malware that locks up the devices until the victims pay a ransom to get the keys to unlock the phone. But, the malware just lock the mobile screen and a loophole in the its implementation allowed users to recover their device and data stored on SDcard.

    Now, in an effort to overcome this, threat actors have adopted encryption in the development of mobile Ransomware malwares. Recently, the security firm ESET has discovered a new Android ransomware, dubbed as Android/Simplocker.A, that has ability to encrypt the files on the device SD card and then demand a ransom from the victim in order to decrypt those files.

    Once installed, the malware scans the SD card for certain file types such as image, document or video with extensions – jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 and encrypts them using AES in a separate thread in the background. After encrypting the files, the malware displays the following ransom message, written in Russian, which clearly means that this threat is targeting Russian Android users.

    WARNING your phone is locked!
    The device is locked for viewing and distributing child pornography , zoophilia and other perversions.
    To unlock you need to pay 260 UAH.
    1.) Locate the nearest payment kiosk.
    2.) Select MoneXy
    3.) Enter {REDACTED}.
    4.) Make deposit of 260 Hryvnia, and then press pay. Do not forget to take a receipt!
    After payment your device will be unlocked within 24 hours. In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!

    The Ransomware malware directs victim to pay the ransom amount i.e. 260 UAH, which is roughly equal to $21 US, through the MoneXy service, as this payment service is not easily traceable as the regular credit card.

    mobile virus

    To maintain anonymity the malware author is using the Command-and-Control server hosted on TOR .onion domain and the malware sends the information of the infected device such as IMEI number to its server. The researchers at ESET are still analysing the malware:

    Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress – for example, the implementation of the encryption doesn’t come close to “the infamous Cryptolocker” on Windows.

    The researchers have found that the malware is capable to encrypt the victim’s files, which could be lost if the decryption key is not retrieved from the malware author by paying the ransom amount, but on the other hand the researchers strongly advise users against paying fine, as their is no guarantee that the hacker will provide you decryption keys even after paying the amount.
    Unfortunately, mobile antivirus products are only capable to detect such known/detected threats only and can’t detect similar the new threats. So, it is important for you to always keep the back-up of all your files either manually on the computer system or use cloud backup services like dropbox, google drive etc, in order to protect it from the emerging threats.

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida

    mobile virus
    Greased Lightbox

    +

    Loading image

    Click anywhere to cancel

    Image unavailable

     


  • The Mask, A malware campaign that remained undetected for 7 years

    A Sophisticated cyber spying operation, ‘The Mask’, that has been under the mask for about 7 years targeting approximately 31 countries, has now been ‘unmasked’ by researchers at Kaspersky Labs.
    The Researchers believe that the program has been operational since 2007 and is seems to be sophisticated nation-state spying tool that targeted government agencies and diplomatic offices and embassies before it was disclosed last month.
    In the unveiling document published by Kaspersky, they found more than 380 unique victims, including Government institutions, diplomatic offices/embassies, private companies, research institutions, activists etc.
    The name “Mask” comes from the Spanish slang word “Careto” (“Ugly Face” or “Mask”) which the authors included in some of the malware modules.
    Developers of the ‘Mask’ aka ‘Careto’ used complex tool-set which includes highly developed malware, bootkit, rootkit etc. that has the ability to sniff encryption keys, VPN configuration, SSH keys and RDP file via intercept network traffic, keystrokes, Skype conversation, PGP keys, WI-Fi traffic, screen capturing, monitoring all file operations, that makes it unique and dangerous and more sophisticated than DUQU malware.
    The malware targets files having an extension:

    *.AKF, *.ASC, *.AXX, *.CFD, *.CFE, *.CRT, *.DOC, *.DOCX, *.EML, *.ENC, *.GMG, *.GPG, *.HSE, *.KEY, *.M15, *.M2F, *.M2O, *.M2R, *.MLS, *.OCFS, *.OCU, *.ODS, *.ODT, *.OVPN, *.P7C, *.P7M, *.P7Z, *.PAB, *.PDF, *.PGP, *.PKR, *.PPK, *.PSW, *.PXL, *.RDP, *.RTF, *.SDC, *.SDW, *.SKR, *.SSH, *.SXC, *.SXW, *.VSD, *.WAB, *.WPD, *.WPS, *.WRD, *.XLS, *.XLSX.

    Victims of this malware found in: Algeria, Argentina, Belgium, Bolivia, Brazil, China, Colombia, Costa Rica, Cuba, Egypt, France, Germany, Gibraltar, Guatemala, Iran, Iraq, Libya, Malaysia, Mexico, Morocco, Norway, Pakistan, Poland, South Africa, Spain, Switzerland, Tunisia, Turkey, United Kingdom, United States and Venezuela.
    The malware remains untraceable for about 7 years and was able to infect Mac OS X version, Linux, Windows, iPad/iPhone and android running devices.
    According to the researchers, the Mask Malware was designed to infect the 32- and 64-bit Windows versions, Mac OS X and Linux versions, but researchers believe that possibly there may be more versions for Android and iPhones (Apple iOS) platforms.
    In its main binary a CAB file having shlink32 and shlink64 dll files are found during the research from which the malware extract one of them, depending upon the architecture of the victim’s machine and install it as objframe.dll.
    It includes the most sophisticated backdoor SGH, which is designed to perform a large surveillance function and except this it has DINNER module which gets executed via APC remote calls and reload ‘chef’ module responsible for network connectivity and ‘waiter’ modules responsible for all logical operations.
    Another backdoor called SBD (Shadowinteger’s Backdoor) which uses open source tools like netcat is included in the malware. To infect Linux versions, Mozilla Firefox plugin “af_l_addon.xpi” was used and was hosted on “linkconf[dot]net”
    Spear phishing, a favorite attack used by most cyber attackers like SEA, was used to distribute this malware. Users were lured to click some malicious websites that contain a number of exploits to compromise their systems.
    Latest Computer news and virus and malware threats at Complete computer Repair Services

    www.ccrepairservices.com