English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

And Now, an MBR Ransomware

Denis
Kaspersky Lab Expert
Posted November 29, 21:47  GMT
Tags: Ransomware
0.6
 

Today my colleague Vitaly Kamluk wrote about a new GpCode-like ransomware which encrypts user’s files with RSA-1024 and AES-256 crypto-algorithms. We’re continuing to investigate this malware and will notify you about our findings.

However, GpCode.ax is not the only piece of ransomware we found today. We’ve just discovered a malware which overwrites the master boot record (MBR) and demands a ransom to retrieve a password and restore the original MBR. This malware is detected as Trojan-Ransom.Win32.Seftad.a and Trojan-Ransom.Boot.Seftad.a.

This ransomware is downloaded by Trojan.Win32.Oficla.cw.

If Seftad.a was downloaded by Oficla.cw and run, the victim’s PC is rebooted and the following message appears on the screen:

The victim does not know the ransomware password. So, after three incorrect attempts, the infected machine will reboot and the same message will appear on the screen.

The entered symbols will be read with int 16h and then the following procedure will calculate the value and compare it with 2 bytes hash:

Fortunately, the hard drives or files are not encrypted as the malware author claims. This ransomware only overwrites the original MBR with a malicious one:

The original MBR is saved in the fourth sector of the hard drive with the malware’s infection marker stored at 0x9FE:

If the victim browses the malware author’s website, he is asked to pay $100 using ‘Paysafecard’ or ‘Ukash’.

If you are infected by this malware do not visit the website. Use the password ‘aaaaaaciip’ (without quotes) to restore the original MBR. If the password doesn’t work, you can cure your MBR with Kaspersky Rescue Disk 10.

UPD: We've just found a new version of Trojan-Ransom.Win32.Seftad. Detection will be added as soon as possible. Use the password 'aaaaadabia' (without quotes) to restore the original MBR.

UPD2: Do not use 'fixmbr' utility in case you are infected with this trojan because it will not restore your partition table and you won't be able to boot your OS. If you are infected and passwords are invalid plug in your hard drive to a working computer and use this free tool which will restore your MBR.


16 comments

Oldest first
Threaded view
 

Vyacheslav Rusakov

2010 Nov 30, 13:46
1
 

Fixmbr? ;)

Reply    

Sergey Golovanov

2010 Dec 01, 02:53
1
 

Re:

recovery console? ;)

Reply    

Vyacheslav Rusakov

2010 Dec 01, 11:34
0
 

Re: Re:

From windows repair disk ;)

Reply    

Vyacheslav Rusakov

2010 Dec 01, 15:12
1
 

Re: Re: Re:

And it will work only if malware saves info about partitions.

Reply    

Merlin

2010 Nov 30, 17:13
0
 

passwords didnt work for me heres a hex dump from my first 4 sectors

Dump track0 for disk 128 (0)

Date for track0 dump is 11-30-2010

sector 1
000 31 C0 8E D0 BC 00 7C 8E D8 8E C0 FB FC BE 1B 7C 1м.|؎.|
016 BF 1B 06 50 57 B9 6A 00 F3 A4 CB B8 02 02 BB 00 ..PWj.˸...
032 7C B9 02 00 BA 80 00 CD 13 72 1B 66 81 7F 02 68 |....r.f.h
048 6A 6D 63 75 16 81 C3 FC 03 66 81 3F 68 6A 6D 63 jmcu..f?hjmc
064 75 09 68 00 7C C3 BE 5C 06 EB 03 BE 71 06 AC 20 u.h.|þ\..q.
080 C0 74 FC BB 07 00 B4 0E CD 10 EB F2 53 65 63 74 t....Sect
096 6F 72 20 72 65 61 64 20 66 61 69 6C 65 64 0D 0A or read failed..
112 00 4D 69 73 73 69 6E 67 20 62 6F 6F 74 20 63 6F .Missing boot co
128 64 65 0D 0A 00 00 00 00 00 00 00 00 00 00 00 00 de..............
144 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
176 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
192 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
208 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
224 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
256 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
272 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
288 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
304 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
336 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
352 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
368 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
384 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
416 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
432 00 00 00 00 00 00 00 00 51 C8 51 C8 00 00 00 00 ........QQ....
448 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
464 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
496 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............U

sector 2
000 EB 04 68 6A 6D 63 FB E8 4E 01 BE 7A 7E E8 21 01 .hjmcN.z~!.
016 BE BA 7F E8 1B 01 BB 7A 7E 31 FF B4 10 CD 16 80 ..z~1..
032 FC 01 74 2B 80 FC 0E 74 34 80 FC 1C 74 3D 80 FC .t+.t4.t=
048 E0 74 38 3C 21 72 E4 3C 7E 77 E0 83 FF 10 73 DB t8<!r<~w.s
064 88 01 47 53 B8 2A 0E BB 07 00 CD 10 5B EB CC 85 .GS*....[̅
080 FF 74 C8 4F B0 20 88 01 E8 E8 00 EB F2 85 FF 74 tO ..t
096 BA 4F B0 20 88 01 E8 DA 00 EB B0 53 B8 0D 0E BB O ..S..
112 07 00 CD 10 B8 0A 0E BB 07 00 CD 10 5B B0 20 83 ........[
128 FF 10 73 05 88 01 47 EB F6 B1 10 31 D2 BE 7A 7E .s..G.1Ҿz~
144 FC AC E8 D3 00 FE C9 75 F8 3B 16 FA 7F 74 13 BE .u;.t.
160 DA 7F E8 8C 00 E8 B0 00 FE 0E 79 7E 0F 85 60 FF ...y~.`
176 EB 6B BB 00 7E B9 05 00 BA 80 00 B8 01 02 CD 13 k.~......
192 73 08 BE 81 7D E8 69 00 EB FE BF FE 7F 81 3D BE s.}i.=
208 AF 74 08 BE 8D 7D E8 58 00 EB FE BA 55 AA 89 15 t.}X.U.
224 B9 01 00 BA 80 00 B8 01 03 CD 13 73 08 BE 81 7D ......s.}
240 E8 3E 00 EB FE B9 00 02 BF 00 7E 30 C0 F3 AA BB >....~0
256 00 7E B9 02 00 BA 80 00 B8 01 03 CD 13 B9 03 00 .~........
272 B8 01 03 CD 13 B9 05 00 B8 01 03 CD 13 B8 40 00 ........@.
288 8E C0 BB 72 00 31 C0 26 89 07 68 FF FF 68 00 00 r.1 .hh..
304 CB 60 FC AC 20 C0 74 09 BB 07 00 B4 0E CD 10 EB ` t.....
320 F2 61 C3 60 BB 07 00 B8 08 0E CD 10 B8 20 0E CD a`..... .
336 10 B8 08 0E CD 10 61 C3 60 BB 07 00 B8 0D 0E CD ....a`....
352 10 B8 0A 0E CD 10 61 C3 50 51 88 C4 30 C0 31 C2 ....aPQ01
368 B1 08 D1 E2 73 04 81 F2 21 10 FE C9 75 F4 59 58 .s.!.uYX
384 C3 49 2F 4F 20 65 72 72 6F 72 0D 0A 00 44 61 74 I/O error...Dat
400 61 20 63 6F 72 72 75 70 74 65 64 0D 0A 00 00 00 a corrupted.....
416 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
432 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
448 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
464 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
496 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

sector 3
000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
016 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
032 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
048 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
064 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
096 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
112 00 00 00 00 00 00 00 00 00 03 0D 0A 59 6F 75 72 ............Your
128 20 50 43 20 69 73 20 62 6C 6F 63 6B 65 64 2E 0D PC is blocked..
144 0A 41 6C 6C 20 74 68 65 20 68 61 72 64 20 64 72 .All the hard dr
160 69 76 65 73 20 77 65 72 65 20 65 6E 63 72 79 70 ives were encryp
176 74 65 64 2E 0D 0A 42 72 6F 77 73 65 20 77 77 77 ted...Browse www
192 2E 73 61 66 65 2D 64 61 74 61 2E 72 75 20 74 6F .safe-data.ru to
208 20 67 65 74 20 61 6E 20 61 63 63 65 73 73 20 74 get an access t
224 6F 20 79 6F 75 72 20 73 79 73 74 65 6D 20 61 6E o your system an
240 64 20 66 69 6C 65 73 2E 0D 0A 41 6E 79 20 61 74 d files...Any at
256 74 65 6D 70 74 20 74 6F 20 72 65 73 74 6F 72 65 tempt to restore
272 20 74 68 65 20 64 72 69 76 65 73 20 75 73 69 6E the drives usin
288 67 20 6F 74 68 65 72 20 77 61 79 20 77 69 6C 6C g other way will
304 20 0D 0A 6C 65 61 64 20 74 6F 20 69 6E 65 76 69 ..lead to inevi
320 74 61 62 6C 65 20 64 61 74 61 20 6C 6F 73 73 20 table data loss
336 21 21 21 0D 0A 50 6C 65 61 73 65 20 72 65 6D 65 !!!..Please reme
352 6D 62 65 72 20 59 6F 75 72 20 49 44 3A 20 37 37 mber Your ID: 77
368 33 39 32 33 2C 20 0D 0A 77 69 74 68 20 69 74 73 3923, ..with its
384 20 68 65 6C 70 20 79 6F 75 72 20 73 69 67 6E 2D help your sign-
400 6F 6E 20 70 61 73 73 77 6F 72 64 20 77 69 6C 6C on password will
416 20 62 65 20 67 65 6E 65 72 61 74 65 64 2E 0D 0A be generated...
432 00 00 00 00 00 00 00 00 00 00 45 6E 74 65 72 20 ..........Enter
448 70 61 73 73 77 6F 72 64 3A 00 00 00 00 00 00 00 password:.......
464 00 00 00 00 00 00 00 00 00 00 57 72 6F 6E 67 20 ..........Wrong
480 70 61 73 73 77 6F 72 64 00 00 00 00 00 00 00 00 password........
496 00 00 00 00 00 00 00 00 00 00 E0 24 68 6A 6D 63 ..........$hjmc

Reply    

Denis

2010 Nov 30, 17:20
0
 

Re: passwords didnt work for me heres a hex dump from my first 4 sectors

Hi, try 'aaaaadabia' (without quotes). It's a new version of Seftad.

Reply    

Merlin

2010 Nov 30, 17:45
0
 

password

Tried that earlier and it didnt work
When I take the hard drie out and look at it from another machine I cant see the partitions so it looks like the virus edited the partition table

any other ideas

Reply    

William

2010 Nov 30, 18:57
0
 

Neither password is working on a client's PC. Getting ready to try the KAV disc.

Reply    

Beroe

2010 Nov 30, 19:07
0
 

Help

The passwords didn't work.
I need to fix my pc as soon as possible.
Please come with a solution!

Edited by Beroe, 2010 Nov 30, 22:40

Reply    

Denis

2010 Dec 01, 13:46
0
 

Re: Help

Try Kaspersky Rescue Disk 10 with updated bases http://support.kaspersky.com/viruses/rescuedisk?level=2

Reply    

ehsan

2010 Dec 01, 12:47
0
 

passwords and Kaspersky Rescue Disk 10 didnt work for me (scan finishes in 5 sec and cant add anything to the scan)
someone suggested me to run the FIXMBR but it made it worse and now pc cant boot from harddisk and it says error loading operating system
realy dont know what to do pls find a solution asap

Edited by ehsan, 2010 Dec 01, 13:30

Reply    

Denis

2010 Dec 01, 13:44
0
 

Re:

Have you tried the Rescue Disk with fully updated bases?

Reply    

dfff

2010 Dec 01, 15:07
0
 

Solution

SOLUTION

Happened to me a few computers, I say as I have solved. Do not lose the data, the only thing that makes the virus is damaging the MBR (Master Boot Record) and so prevents you from accessing the data.

The first thing you do is make a cd called Hiren's Boot, I have done with version 10.2, this version 12 but not the programs I need.

You turn on your computer with this cd got and when you start the menu to give the "Dos BootCD", then option "Partition tools" and then give the program "Acronis Disk Director Suite 10.0.2160" within this program asks you if put in manual or automatic, manual and put it in OK.
Then select the hard disk (that will put unallocated) with the right button "Advanced" and then option "Recover", then select "Manual" and next, then "Fast" and next, in the table comes out you now have choose the partition list and then leaves you next.
Now you have the option to view the data you had before, one can only recover the MBR.

Restart the computer with the cd menu and choose "mini windows xp." This loads a live version of Windows XP, go to the desktop icon that puts HBCDMenu, then Menu -> Partition/Boot--> MbrFix and the MS-DOS window appears you set this command mbrfix.exe / drive 0 fixmbr "fix the mbr, reboot without the cd and you've got it working.

I hope that helps.

Reply    

Aldo

2011 Jul 25, 11:28
0
 

Re: Solution

A new version of "ransonmware" has happened to me.
The application "Acronis Disk Director Suite 10.0.2160" is loched in the function "Analyzing partition 1/1"; After about two hours Acronis is closed.
Obviously passwords found out in internet don't work well.
Suggestions?
Thanks

Reply    

Steven K

2010 Dec 01, 21:03
0
 

Video Removal Guide

http://www.youtube.com/watch?v=e7RgU7NNAbw
same as Juan, using Hiren's Boot

Reply    

theeye23

2011 Apr 12, 15:51
0
 

MBRFix

The official site of MBRFix

http://www.sysint.no/nedlasting/mbrfix.htm

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Related Links

Analysis

Blog