Internet threat level: 1
Home→Blog→Virus Watch→November 29 2010→And Now, an MBR Ransomware
Today my colleague Vitaly Kamluk wrote about a new GpCode-like ransomware which encrypts user’s files with RSA-1024 and AES-256 crypto-algorithms. We’re continuing to investigate this malware and will notify you about our findings.
However, GpCode.ax is not the only piece of ransomware we found today. We’ve just discovered a malware which overwrites the master boot record (MBR) and demands a ransom to retrieve a password and restore the original MBR. This malware is detected as Trojan-Ransom.Win32.Seftad.a and Trojan-Ransom.Boot.Seftad.a.
This ransomware is downloaded by Trojan.Win32.Oficla.cw.
If Seftad.a was downloaded by Oficla.cw and run, the victim’s PC is rebooted and the following message appears on the screen:
The victim does not know the ransomware password. So, after three incorrect attempts, the infected machine will reboot and the same message will appear on the screen.
The entered symbols will be read with int 16h and then the following procedure will calculate the value and compare it with 2 bytes hash:
Fortunately, the hard drives or files are not encrypted as the malware author claims. This ransomware only overwrites the original MBR with a malicious one:
The original MBR is saved in the fourth sector of the hard drive with the malware’s infection marker stored at 0x9FE:
If the victim browses the malware author’s website, he is asked to pay $100 using ‘Paysafecard’ or ‘Ukash’.
If you are infected by this malware do not visit the website. Use the password ‘aaaaaaciip’ (without quotes) to restore the original MBR. If the password doesn’t work, you can cure your MBR with Kaspersky Rescue Disk 10.
UPD: We've just found a new version of Trojan-Ransom.Win32.Seftad. Detection will be added as soon as possible. Use the password 'aaaaadabia' (without quotes) to restore the original MBR.
UPD2: Do not use 'fixmbr' utility in case you are infected with this trojan because it will not restore your partition table and you won't be able to boot your OS. If you are infected and passwords are invalid plug in your hard drive to a working computer and use this free tool which will restore your MBR.
2010 Nov 30, 13:46
Fixmbr? ;) |
|
1 |
|
2010 Nov 30, 17:13
passwords didnt work for me heres a hex dump from my first 4 sectors Dump track0 for disk 128 (0) |
|
0 |
Re: passwords didnt work for me heres a hex dump from my first 4 sectors
Hi, try 'aaaaadabia' (without quotes). It's a new version of Seftad.
|
2010 Nov 30, 17:45
password Tried that earlier and it didnt work |
|
2010 Nov 30, 18:57
Neither password is working on a client's PC. Getting ready to try the KAV disc. |
|
2010 Nov 30, 19:07
Help The passwords didn't work. Edited by Beroe, 2010 Nov 30, 22:40 |
|
0 |
Re: Help
Try Kaspersky Rescue Disk 10 with updated bases http://support.kaspersky.com/viruses/rescuedisk?level=2
|
2010 Dec 01, 12:47
passwords and Kaspersky Rescue Disk 10 didnt work for me (scan finishes in 5 sec and cant add anything to the scan) Edited by ehsan, 2010 Dec 01, 13:30 |
|
2010 Dec 01, 15:07
Solution SOLUTION |
|
0 |
Re: Solution
A new version of "ransonmware" has happened to me.
The application "Acronis Disk Director Suite 10.0.2160" is loched in the function "Analyzing partition 1/1"; After about two hours Acronis is closed.
Obviously passwords found out in internet don't work well.
Suggestions?
Thanks
|
2010 Dec 01, 21:03
Video Removal Guide http://www.youtube.com/watch?v=e7RgU7NNAbw |
|
2011 Apr 12, 15:51
|
Related Links
Analysis
Blog
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.