English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsHoax.Win32.ArchSMS.hewm

Hoax.Win32.ArchSMS.hewm

Detected Feb 25 2011 07:11 GMT
Released Feb 25 2011 16:26 GMT
Published Mar 16 2011 13:08 GMT

Technical Details
Payload
Removal instructions

Technical Details

This malicious program demands a ransom in exchange for the content of an encrypted archive. It is a Windows application (PE EXE file) and is 5 137 408 bytes in size. It is packed using VMProtect and is written in C++.


Payload

Once launched, the Trojan creates the following system registry key: 

[HKCU\Software\Stimul]
Then, the Trojan displays the following window:

After confirmation of "I agree with the rules", selection of the location for unpacking, and the "Unpack" button is pressed, the malware imitates the process of unpacking the files. At a certain stage, this process stops and the user is prompted to complete some fields in a form, then send an SMS containing the text 

84***0191
to one of these payable numbers:

While sending the confirmation message, the Trojan carries out the following HTTP request: 

GET /functions/sms-api/sms_from_soft.php?user_phone=
7&flow_id=1&platnik_id=0&num
=2855&pt=1 HTTP/1.1
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Host: sti***ofit.com
Cache-Control: no-cache
In response, the server sends back an integer, for example, "216".

The "Support service" link points to the resource: 

http://vpoiske.sti***aball.com/support.php


Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Delete the following system registry key (see What is a system registry and how do I use it?): 
    [HKCU\Software\Stimul]
  4. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: 13DB8201EA98EC0AB953AAB8111134FA
SHA1: 55A8FF534DCA8250E2B424775010516AD12B0ED1



Print
Bookmark and Share
Share
Malicious tools
Hoax

Programs classified as Hoax do not directly inflict any damage on the victim computer. They do send messages saying that damage has been done or will be done, or warn the user of a threat that does not actually exist. These “bad jokes” include programs that frighten users with messages about reformatting their disk (although no formatting is actually taking place), and display messages typical of viruses, etc. depending on the program author’s “sense of humor”.


Other versions
Hoax.Win32.ArchSMS.lty
Hoax.Win32.ArchSMS.mvr
Hoax.Win32.ArchSMS.ong
Hoax.Win32.ArchSMS.pin

Aliases

Hoax.Win32.ArchSMS.hewm (Kaspersky Lab) is also known as:

  • Generic Malware (Panda)
  • Trojan.SMSSend.394 (DrWeb)
  • Gen:Variant.Adware.SMSHoax.14 (BitDef7)
  • Trojan.ArchSMS!1Xgia9wuHA4 (VirusBuster)
  • Win32:FraudTool-SS [Trj] (AVAST)
  • Hoax.Win32.ArchSMS (Ikarus)
  • Trojan.Gen (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Trojan.ArchSMS!1Xgia9wuHA4 (VirusBusterBeta)

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search