• Tag Archives online computer news
  • Rise in Anti-Child Porn Spam Protection Ransomware infections

    This ransomware pretends to be from a legitimate government organization that states that the infected computer is sending out SPAM that contains links to child pornography sites. The ransom program then states that in order protect yourself, and others, it has encrypted your data using Advanced Encryption Standards, or AES, encryption. Just like the Malware Protection and the ACCDFISA Protection Program variants, these files are not actually encrypted but are password protected RAR files.

    sl.png

    ScreenLocker window for ACCDFISA v2.0, There are actually a few different versions of this. ACCDFISA v2.0 HTML file, These can be worded slightly different, and can have different emails to message the virus creator.

    There seems to be either a leak of the ACCDFISA v2.0 source, or the creator is mixing up the layout of Ransom Note, Screen Locker, and even the internal code. So far I have found 3 different version of ACCDFISA v2.0 with different contact emails, Ransom Notes, Code, and what is worse is even the method of delivery. The previous ACCDFISA v2.0 mostly only affected servers with RDP enabled with weak security. But the last 2 victims I have been messaging had neither a server or RDP enabled, and claimed to have gotten it either by email or a malicious or hacked site. This makes this older modified infection another top placer for worst encrypting infections because the key is unrecoverable, Restore Points are wiped, the computer is locked down, services are mangled, free space and deleted files are wiped with SDelete, and of course files are encrypted with WinRar SFX AES exe’s.

    For informational purposes, the 2 virus creator emails I have found with these variants are brhelpinfo@gmail.com and Dextreme88@gmail.com.

    When first run, this program will scan your computer for data files and convert them to password protected RAR .exe files. These password protected data files will be named in a format similar to test.txt(!! to decrypt email id <id> to <Email>@gmail.com !!).exe. It will then use Sysinternal’s SDelete to delete the original files in such a way that they cannot be undeleted using file recovery tools. It will also set a Windows Registry Run entry to start c:\<Random Number>\svchost.exe when your computer starts. This program is launched immediately when you logon and blocks access to your Windows environment. If you boot your computer using SafeMode, Windows Recovery disk, or another offline recovery CD, you can delete or rename the c:\<Random Number>\svchost.exe file in order to regain access to your Windows Desktop. This “lockout” screen will also prompt you to send the hackers the ransom in order to get a passcode for the system lockout screen and for your password protected files.

    This variant took 3 hours to completely finish on my VM. I was able to access the key file, and decrypt nearly all files and back them up before shutdown. So if you are lucky enough to see this happening, you should immediately backup the key file on the desktop / in the ProgramData folder.

    Sadly, just like the past variants, files cannot be decrypted either without the key, or a backup. If you are reading this infection free I have one question, Have you backed up today?. If not, you better get to it as these types of computer infections are on the rise and definitely here to stay!

    The files that this infection creates when it is installed are:

    File List:

    c:\<Random>\svchost.exe – ScreenLocker / Decrypter

    c:\<Random>\howtodecryptaesfiles.htm – RansomNote that all RansomNotes lnk’s point to

    c:\ProgramData\fdst<Random>\lsassw86s.exe Encrypter / Main dropper

    c:\ProgramData\<Random>\<Random>.dll – Different Numbers and Hashes used by the infection / Also where Temp Key is kept, But removed after completion

    c:\ProgramData\<Random>\<Random>.DLLS List of files to be infected by WinRar

    c:\ProgramData\<Random>\svchost.exe – WinRar CUI renamed

    c:\ProgramData\<Random>\svchost.exe – Sdelete Renamed

    c:\ProgramData\svcfnmainstvestvs\stppthmainfv.dll List of Numbers used by the infection

    c:\ProgramData\svtstcrs\stppthmainfv.dll List of Numbers used by the infection

    c:\Windows\System32\backgrounds2.bmp Renamed ScreenLocker / Decrypter, Used to replace the one in ProgramData if deleted

    c:\Windows\System32\lsassw86s.exe Renamed Encrypter / Main dropper, Used to replace the one in ProgramData if deleted

    c:\Windows\System32\scsvserv.exe Used to complete mangle / disable services to further lock down computer

    c:\Windows\System32\lsassvrtdbks.exe Assists with encryption

    c:\Windows\System32\session455.txt Temp Storage used with .BAT file to logoff user account

    c:\Windows\System32\decryptaesfiles.html Used to copy to ProgramData

    c:\Windows\System32\Sdelete.dll Used to copy Sdelete to ProgramData

    c:\Windows\System32\kblockdll.dll Used to Lock desktop

    c:\Windows\System32\btlogoffusrsmtv.bat Used to log user off

    c:\Windows\System32\default2.sfx Used with winrar to encrypt files

    c:\Windows\System32\cfwin32.dll WinRar CUI renamed

    %Desktop%\<Random>.Txt – Also contains Decrypt Key, But removed after completion

    Registry List:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\<Random>\svchost.exe – Launches ScreenLocker

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\<Random>\svchost.exe – Launches ScreenLocker

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\ProgramData\<Random>\svchost.exe – Launches ScreenLocker

    Please Visit our Computer News Website and Blog

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere

    Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida


  • Windows 8 had more vulnerabilities than previous versions of Windows

    Microsofts Windows 8 platform has been tagged by security research firm Secunia as being the most vulnerable Windows platform on the market….according to their research, Windows 8 had more vulnerabilities than previous versions of Windows that are currently supported by Microsoft for 2013….the answer is quite simple; Flash. Because Flash is now baked into the modern instance of IE, any Flash vulnerability can now be tied into Windows 8 as well.

    flashwin8.png

    Visit www.ccrepairservices.com for all latest computer repair and related news online


  • John McAfee ‘grateful’ Intel is dropping his name from ‘worst software on the planet’

    John McAfee

    John McAfee is glad that Intel is dropping his name from McAfee’s antivirus software. 

    The UpTake: Intel is dropping the McAfee name from the antivirus software brand. It’s infamous founder, John McAfee, couldn’t be happier.

    John McAfee is finally glad to be rid of his embarrassing association with McAfee antivirus software.

    Intel, which acquired McAfee Inc. in 2011, is dropping the McAfee brand in favor of Intel Security. McAfee founded the eponymous global software security firm in 1987, but left the company in 1994. When we last checked in with the gonzo antivirus pioneer, he was being evicted from his luxury Portland apartment and employing biker bodyguards.

    His response to Intel’s rebranding was pure McAfee: “I am now everlastingly grateful to Intel for freeing me from this terrible association with the worst software on the planet,” he told the BBC. “These are not my words, but the words of millions of irate users. My elation at Intel’s decision is beyond words.”

    Intel CEO Brian Krzanich announced the name change at the International Consumer Electronics Show this week. It’s not clear that McAfee’s shenanigans had anything to do with the re-branding.

    McAfee’s disdain for the product bearing his name is well known.

    “Although I’ve had nothing to do with this company for over 15 years, I still get volumes of mail asking how do I uninstall this software,” McAfee said in a salty parody video released in June called “How to Uninstall McAfee Antivirus Software.” Warning: the video, embedded below, contains mature themes and John McAfee.

    Visit or our Repair section and services, or Call 754-234-5598 to repair your computer online for a small fee

    www.ccrepairservices.com


  • Oracle to issue huge security patch addressing 36 Java vulnerabilities

    ENTERPRISE VENDOR Oracle will issue its first patch update of 2014 on Tuesday and it just so happens that it’ll be one of its biggest ever that includes a slew of security patches, many of which address vulnerabilities in Java.

    The Critical Patch Update will address 144 flaws in hundreds of Oracle products, 36 of which apply to vulnerabilities in Java SE, including 34 that are bugs that can be exploited remotely by an attacker without requiring authentication.

    “Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products”, Oracle said in its pre-release announcement. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”

    Five of the security fixes will apply to Oracle Database Server. One of these vulnerabilities might be remotely exploitable without authentication, meaning it could be exploited over a network without the need for a username and password.

    The patch update will be released on 14 January for Oracle products and components including JavaFX, versions 2.2.45 and earlier, Java JDK and JRE, versions 5.0u55, 6u65, 7u45 and earlier, and Java SE Embedded, versions 7u45 and earlier.

    The highest CVSS 2.0 Base Score for vulnerabilities in Oracle’s Critical Patch Update is 10.0 for Java SE, Java SE Embedded, and JRockit of Oracle Java SE, MySQL Enterprise Monitor of Oracle MySQL, Oracle FLEXCUBE Private Banking of Oracle Financial Services Software and Oracle WebCenter Sites of Oracle Fusion Middleware.

    Security firm Qualys’ CTO Wolfgang Kandek warned that plug-ins like Java are one of the main threat vectors as more companies are being infected through web based attacks.

    “One needs to pay attention to the browser plug-ins, and in that class, the most important is Oracle’s Java,” Kandek said. “Java just suffered a widely published attack during the Yahoo Ad-based attacks from [December to January 2014], where the Magnitude exploit kit was used to deliver malware to users that were running an outdated version of Java.”

    He added that Oracle’s critical patch update will “further tighten its security parameters”.

    ONLINE COMPUTER REPAIR SERVICES AND NEWS AT

    www.ccrepairservices.com