FBI moneypak ransom-ware virus

[WallShadow]

Good afternoon HTS,

I'm in a bit of a rush right now as I just got a laptop from a friend today which is infected with a virus similar to the European ransom-ware described in this topic. To put it short, after about a minute after logging in, the virus locks all system functions and presents something like a webpage which has written on it "we have found obscene child pornography on your system, this computer is being locked down and you must pay a fine of 200$ through moneypak to unlock it". I've searched online for it and it's definitely not new, however none of the screenshots I find match the one that this looks like so I'm assuming it is a newer version of it. I've also found that none of the registry keys and files specified by removal articles exist on the system in question. Link to an article about approximately what it is, but not exactly: http://botcrawl.com/how-to-remove-the-f ... e-removal/.

All I have is until tomorrow morning to fix this, and I can't wipe and reload, it's not my or his system, it formally belongs to the our school. I want to refrain from using Malware Anti-Malware Bytes because some of the shit that the school puts on these computers is just as persistent and restrictive as any virus. And besides, if this is a newer version, then there might be parts of it that MAMB would be unable to catch. I have limited user access to it in safe mode, and the virus doesn't seem to start in safe mode either so I'm assuming it did not perform any privledge escalation.

I'll be posting all the information I find as I research the thing here (hopefully i can get some samples of it). If anyone is able to help me with anything, I'd gladly appreciate it. Right now I could use a list of all possible startup methods that it could possibly use on Win 7 systems.

- WallShadow <3

TL;DR I HAZ A VIRUS! What do I do?



edit:

I've found one site with the proper example of this version of the malware (http://guides.yoosecurity.com/how-remov ... 0-dollars/)

looks like this:





edit 2:

it seems that no matter what I put onto the system, the virus kills EVERYTHING. I've tried setting up a backdoor written in java, but after a few port scans, it seems that the virus kills the java program and even a couple of other unrelated programs open on ports 135 and 139. I've tried setting up a batch file to record how long it takes before it kills everything, it turned out to be less than 20 seconds after the batch file runs. Anyone know of a way to make an unkillable process?

edit 2b:

made a batch script which runs at startup and clones itself 100 times and tries to kill all process other than itself ever single second. the script put up a fight, but the virus still killed ever last clone of it.

[limdis]

Look at this ingenious little thing. Alright; no promises but I'll sniff some dark corners of the net and see what I can dig up.

-- Tue Oct 02, 2012 8:47 pm --

Ok I'm seeing that TDSS Rootkit killer has had some success with getting rid of this. I can't vouch for it though as this is the first time I've heard about it myself. More to come...

-- Tue Oct 02, 2012 9:07 pm --

Check out the number of videos on youtube on this very exact thing. Saw a comment in a thread about it and wouldn't you know.

[WallShadow]

Since I ran out of options in hammering the virus, I've decided to take your approach and view videos for tips. I've scanned the HKCU\Software\Microsoft registry entries for any sign of weird rundll32.exe calls, but nothing came up besides calls to dlls inside C:\Windows\System32. I've decided to look through the %appdata% folders to find something and I think I've found a trail to follow; found under in AppData\Roaming\rt1.png with ATTRIB -H -S *.* :


(image is slightly cut off, view image shows the entire thing)

I'll search through the rest of it and see what I can find.




edit: scanning through ATTRIB -H -S *.* once more, I found that APPDATA\Roaming was the only folder that didn't display the "*.* file not found" error even after multiple times, however explorer wasn't showing anything new. Quick google search, "DIR /AHS" just like dir but only shows files with both the H and S attribute on. only one thing showed up, a folder called "System". I enter it, empty... "DIR /AHS" reveals a file by the name of "winlogon.exe", file size 146.432 bytes, created 10/01/2012. SUSPICIOUS A BIT? what do next? Gonna be sweeping the registry for links to this file in the mean time. Samples of this piece of shit availible to anyone who PM's me, I'm not hosting this crap on my website.


edit 2 :
searching through the registry for "System\winlogon.exe" I found 1 key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the name "Update" of type "REG_SZ" with a direct path to the virus. I feel like a fucking idiot considering that is one of the first places that I looked. Herp Derp. I just disabled the key and run the system normally, seems to be functioning perfectly normal again, but I'll still look around for any other parts of it. For such a nasty rootkit, it seems too simple to have only 1 file and a run key.

edit 3 :
for anyone who cares, while testing this malicious exe on my home computer, I found that Microsoft Security Essentials cleans this file immediately as soon as it is created. MSE also registered it as Trojan:Win32/Malagent (however this appears to be a category of malicious Trojans, not just this virus).






-- Wed Oct 03, 2012 12:15 am --



Well, system is now clean enough for use. Hard to consider that such a tough piece of malware is so small. I was expecting at least 2 exes and dozens of run keys, but no. Just one of each. Case Closed, I'd like to thank you limdis. If it wasn't for you, I would've given up 4 hours ago and handed it back as is. Lessons learned from this:

1. If the virus never obtained anything higher than user permissions, than it's just a matter of searching for any program that isn't in or doesn't start from Program Files or System32. If I would have realized this earlier, I could've finished this ages ago.

2. I actually found 2 registry entires with references to the virus, the second was under [[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]] which seems to be some kind of log for recent run keys because I found not only a key pointing to the virus but also keys pointing to the backdoor and the scripts to fight the virus which I loaded onto the computer and set run keys, but have since deleted all of them. Might be of interest to anyone studying the artifacts left by viruses and rootkits.

3. In my search for an unkillable program, I stumbled upon this: RtlSetProcessIsCritical(UInt32 v1, UInt32 v2, UInt32 v3) (look at http://stackoverflow.com/questions/1109 ... le-process). It is apparently a method for declaring a process more important than the rest of the entire system. It is for some reason a part of the Windows API, but apparently undocumented, and highly unsupported. I've seen it accessible from C and C# and I'm sure it's possible to tap into it from other languages. It works in some very weird ways, and I'm not entirely sure how it is supposed to be implemented. It has been warned that attempting to kill a process guarded by this will result in an instant BSoD, something that I have confirmed on my own system by starting such a process and right-click > close. It instantly BSoD'd, but thankfully didn't corrupt my system. C# source code for all who want to play around with it (can cause BSoD, you have been warned):

Code: Select all


using System;
using System.Diagnostics;
using System.Threading;
using System.Runtime.InteropServices;



public static class Unkillable
{
    [DllImport("ntdll.dll", SetLastError = true)]
    private static extern void RtlSetProcessIsCritical(UInt32 v1, UInt32 v2, UInt32 v3);

    public static void MakeProcessUnkillable()
    {
        Process.EnterDebugMode();
        RtlSetProcessIsCritical(1, 0, 0);
    }

    public static void MakeProcessKillable()
    {
        RtlSetProcessIsCritical(0, 0, 0);
    }
   
   static void Main(string[] args)
   {
      
      MakeProcessUnkillable();
         
         System.Console.WriteLine("Starting unkillable!");
      
      //while(true)
      //{
         
         Thread.Sleep(15000);
         
         System.Console.WriteLine("Ending unkillable!");
         
         MakeProcessKillable()
         
      //}
      
   }
   
}



Please don't judge my terrible C# skills, I've never actually studied C# and getting this to run was painful enough. Compiled using csc.exe version 3.5.

-WallShadow <3

[not_essence2]

Yes, I'm gravedigging, but I have a question to ask: How did you get the programs (the javascript back door program, for instance) in the computer if the computer is locked out of everything?

[hellow533]

Like I said before in another thread, you could try and oh, I don't know, RESTORING THE SYSTEM. You don't lose files or programs, I don't see why it's such a big freaking deal.

Do a system restore then run an antivirus, if you do not have one try Safety.live.com, assuming it is windows. That is how I removed the virus from a couple client's computers after their dumb ass employees decided it would be best to torrent at work. I can now say they don't have access to anything but designated sites at work now.

[WallShadow]

Yes, I'm gravedigging, but I have a question to ask: How did you get the programs (the javascript back door program, for instance) in the computer if the computer is locked out of everything?

Like I said before in another thread, you could try and oh, I don't know, RESTORING THE SYSTEM. You don't lose files or programs, I don't see why it's such a big freaking deal.

Do a system restore then run an antivirus, if you do not have one try Safety.live.com, assuming it is windows. That is how I removed the virus from a couple client's computers after their dumb ass employees decided it would be best to torrent at work. I can now say they don't have access to anything but designated sites at work now.

As I said earlier:

I have limited user access to it in safe mode, and the virus doesn't seem to start in safe mode

In other words, I didn't have administrator privileges and neither did the virus and therefore; I was able to boot into safe mode without the virus starting. I couldn't do system restore or anything like that due to lack of privileges. I've been devoting some time into studying it, and by running it in a WinXP machine, I found that it changes and starts a lot more stuff than I described here, but that is only with administrator privileges. The computer also had Kaspersky anti-virus installed on it. Guess what it picked up? NOTHING!!!!

@not_essence2, JavaScript is not the same as Java. Coding a backdoor in JavaScript would be amazing, show me sometime how you do it.

[hellow533]

I have limited user access to it in safe mode, and the virus doesn't seem to start in safe mode

In other words, I didn't have administrator privileges and neither did the virus and therefore; I was able to boot into safe mode without the virus starting. I couldn't do system restore or anything like that due to lack of privileges. I've been devoting some time into studying it, and by running it in a WinXP machine, I found that it changes and starts a lot more stuff than I described here, but that is only with administrator privileges. The computer also had Kaspersky anti-virus installed on it. Guess what it picked up? NOTHING!!!!

I've had some recent problems with Kaspersky to be honest, it caused more damage than it fixed after getting it. Try the safety.live.com trick, that should be able to fix the problem. If not, you can always buy a restore disc.

[not_essence2]

@WallShadow- I know, sorry, that was a typo (I read your first post wrong). Ironically, in my last post I was thinking about writing on how I might be missing something simple such as Safe Mode, but I dismissed it as I automatically thought that the virus had admin privs (It sounded like it did).

[Dwere134]

Hey sorry for gravedigging. Haven't been on the forums in quite some time.
Poked my head in here because I <3 me some malware and this piqued my interest.

I was just wondering if the code behind this malware is similar or basically identical to the code behind the scareware rogue AV shit that says "pay $75 to remove these infected files"

Clearly the CONCEPT is the same - scareware - but its delivery is sugar coated differently.
Did you the OP happen to save a copy of the malware and upload it anywhere for others to play with?

Thanks