12345

8/29/2011

[Warning] Identified Ransomware disguised Adobe Flash Player

1. Introduction

Recently, a ransomware of variants spreading all over the world masqueraded as Flash Player's icon and file name has been identified.
Since this ransomware is using social engineering technique with disguising file name and property value general users need to be careful to avoid this social engineering technique. Upon infected, ransomware can induce user for money. The most important thing is prevention for being infected.
  
2. Spreading path and symptoms of infection

Ransomwares can be spread via downloading from relatively vulnerable web site after being tampered. Besides attachment of e-mail, instant messenger and links in SNS can be the route for being spread.

One of the biggest features is that it was disguised as Flash Player's file name and icon.


General users can execute this malicious file due to its icon and file name. Upon executed, this following figure will be shown on infected PC.



To use PC normally, it requires certain keys to be inputted. To acquire key, this page induces sending certain
amount of money. After infected, only input field is activating for inputting code. Following process describes malicious behavior on executing this malicious file.


 
We found that additional malicious file will be created and certain process(exeplorer.exe) will be killed, also we can see the registered information on registry.

"swap32.exe", additionally generated, is a clone file of "flashplayer.exe", which can be run in concurrence with Explorer.exe based on this registry values.

* Registry value
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- Name : Shell
- Data : "Explorer.exe, C:\Documents and Settings\(User account)\Local Settings\Application Data\Aware Products\Temp\Cache\Extension"

This ransomware has valid code for comparing inputted value by user.
Valid code can be found by tracing as follow.


  
* Valid code for unlock



* Valid code
Valid code is "123456545".

3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan/W32.Agent.112128.LY

8 comments:

  1. Check out this page for some additional info on how to write the best locking classification essay in the class. I think that this could be really good

    ReplyDelete
  2. I found your post so interesting. Thank you for the valuable information.
    download gapps

    ReplyDelete
  3. Thank you so much for the wonderful website. Which made my day and got full information about Ac Market. Loved this website and recommended for all the users.
    Ac Market
    Ac Market APK
    AcMarket

    ReplyDelete
  4. gamekiller for windows
    gamekiller for android
    gamekiller for ios
    Whatever be the age or gender of a person, everyone is addicted to one game or the other. It is a fun related activity to spend your time.

    ReplyDelete
  5. kingroot for pc
    kingroot pc
    download kingroot pc
    kingroot apk
    kingoroot
    kingroot download
    Rooting an Android phone is a cumbersome process that requires the person to have quite an in-depth know-how of what they’re doing.

    ReplyDelete