Continuous appearance of ransomware variants.

1. Introduction

Ransomwares are getting spread these days. In the midst of prevalent malicious wares, peculiar ransomware which locks user's desktop and induces user to pay.
The biggest feature of this kind of Ransomware is generating malicious file on certain path and rebooting victim's computer on infected.

Previous malicious files focused on leaking information and destroying internal files, however, Ransomware induces user to pay.

2. Spreading path and symptoms of infection

Currently found malicious file can be downloaded from certain web site, even if the domain address are not same.

* Ransomware malicious file spreading domain information
 - http://xxxxxx.info/player/pornoplayer.exe
 - http://xxxxx.info/player/pornoplayer.exe
 - http://xxxxx.info/player/pornoplayer.exe
 - http://xxxxxx.info/player/pornoplayer.exe

Downloaded file name is pornoplayer.exe.



Furthermore, on executing this malicious file, system will be rebooted and desktop will be locked.
As a result, it will make that accessing desktop is impossible.



It will show "Warning" message and induce user certain amount of money. After payment, victim will be received release code then victim can unlock his desktop.

* Flow of general "File-typed Ransomware"

  

Executing downloaded pornoplayer.exe will create malicious file on following path.

[Generated file]
C:\Documents and Settings\(User account)\2639420692\2639420692.EXE

Besides, registering registry value will infect victim's PC on every booting.

[Register registry value for working on booting]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
 - Value name : "ZDF2639420692AWrt2639420692AdsWrt2639420692aAdsWrtenZDF2639420692_26394206920"
 - Value data : "C:\Documents and Settings\(User account)\2639420692\2639420692.EXE"

3. How to prevent

To use PC safely from ransomware, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan/W32.PornoPlayer.47616

* How to remove manually


1. Enter safe mode on booting
2. Move to C:\Documents and Settings\(User account)\2639420692\.
3. Remove that folder or 2639420692.EXE.
4. Windows "Run -> regedit".
5. Remove following registry value.
   HKEY_CURRENT_USER
       ㄴ Software\Microsoft
              ㄴWindows
                   ㄴCurrentVersion
                         ㄴRun
                              ㄴ ZDF2639420692AWrt2639420692AdsWrt2639420692aAdsWrtenZDF2639420692_26394206920
6. Reboot.

company