Attention! All data on your hardrive is encrypted
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
(Publication) Google search: [1]
| Attention! All data on your hardrive is encrypted | |
|---|---|
| Botnet | Matsnu |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2013 / 2013-01-30 |
| Editor/Conference | AVG |
| Link | http://blogs.avg.com/news-threats/attention-data-hardrive-encrypted (Archive copy) |
| Author | Tomas Prochazka, Michal Cebak |
| Type | |
Abstract
“ We have seen various mutations of the well known “police ransomware” Trojan throughout the year. Despite the threatening and convincing message it carries, most people probably choose to avoid the “fine” by simply removing the malware. Well, the following ransomware is little bit different.
After the sample is executed and initial emulators and virtual machine detections are passed, the process spawns either ctfmon.exe or svchost.exe (randomly chosen) where it injects its own code. This injected system process then executes the copy of the sample from %TEMP% folder, which creates another ctfmon.exe or svchost.exe child process with injected code and finally starts some interesting actions.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1289,
editor = {AVG},
author = {Tomas Prochazka, Michal Cebak},
title = {Attention! All data on your hardrive is encrypted},
date = {30},
month = Jan,
year = {2013},
howpublished = {\url{http://blogs.avg.com/news-threats/attention-data-hardrive-encrypted}},
}