SOLVED Ransom Trojan 2011 - Information

Ace

Microsoft MVP
Joined
Jul 7, 2011
Messages
314
Reaction score
61
Even though files are deemed as updates, you should always check them for validity before installing them, or install at your own risk.

Recently there was an update for firefox from a fake firefox site

Code:
http:// firefox.perl .sh
File Info:
MD5: 9a6f87b4be79d0090944c198a68012b6

Originally, there were only 3 detections for it:
https://www.virustotal.com/file-sca...7b0152ee3f22e2e9afc8d77788686f1299-1299783978
(Almost all of the great AV's were unaware of this file's malicious activity it looks like)

But after a while it became more known with AV's and it's detection rate raised up to 40/42 of the online built in scanners:
https://www.virustotal.com/file-sca...7b0152ee3f22e2e9afc8d77788686f1299-1302561162

A friend of mine had this on his computer:


A result of downloading this file.

The file appears to lock all application executions, as well as your entire Operating System from being used, and it prompts you with this message instead.

I took the file off his computer, and did some testing with it on my own unaware that this Ransomware would "release" itself after a while. Since there was an area for a key activation to allow you to access your Operating system again.



Here would be your next screen. However all of those given numbers are invalid.

Testing this with a few debugging tools on my own machine gave me a key: 1351236 Which apparently is the real key to get back into your system. Each digit has to be entered into the textboxes.

However this would be a pretty dangerous file, the Ransomware actually gives you a valid key after quite a few tries I believe, with testing those numbers given of course, which was the only catch. It worked for some people but didn't for me.)

I was actually pretty intrigued at how the newer generation of trojans have become so diverse in human engineered malware. Also at how people came up with the idea to create a system locker like this is pretty frightening.

This exact file was also released as an adobe flash update executable from what i've read. All sites hosting this Ransomware have been removed by the bigger parties though I believe.

More Information here: [ame="[MEDIA=youtube]WyAmC6DPRzw[/MEDIA]"]Activation Ransom trojan - YouTube[/ame]
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top