12345

8/29/2011

[Warning] Identified Ransomware disguised Adobe Flash Player

1. Introduction

Recently, a ransomware of variants spreading all over the world masqueraded as Flash Player's icon and file name has been identified.
Since this ransomware is using social engineering technique with disguising file name and property value general users need to be careful to avoid this social engineering technique. Upon infected, ransomware can induce user for money. The most important thing is prevention for being infected.
  
2. Spreading path and symptoms of infection

Ransomwares can be spread via downloading from relatively vulnerable web site after being tampered. Besides attachment of e-mail, instant messenger and links in SNS can be the route for being spread.

One of the biggest features is that it was disguised as Flash Player's file name and icon.


General users can execute this malicious file due to its icon and file name. Upon executed, this following figure will be shown on infected PC.



To use PC normally, it requires certain keys to be inputted. To acquire key, this page induces sending certain
amount of money. After infected, only input field is activating for inputting code. Following process describes malicious behavior on executing this malicious file.


 
We found that additional malicious file will be created and certain process(exeplorer.exe) will be killed, also we can see the registered information on registry.

"swap32.exe", additionally generated, is a clone file of "flashplayer.exe", which can be run in concurrence with Explorer.exe based on this registry values.

* Registry value
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- Name : Shell
- Data : "Explorer.exe, C:\Documents and Settings\(User account)\Local Settings\Application Data\Aware Products\Temp\Cache\Extension"

This ransomware has valid code for comparing inputted value by user.
Valid code can be found by tracing as follow.


  
* Valid code for unlock



* Valid code
Valid code is "123456545".

3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan/W32.Agent.112128.LY

1 comment: