English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Hoax.Win32.ArchSMS.hewm

Detected Feb 25 2011 07:11 GMT
Released Feb 25 2011 16:26 GMT
Published Mar 16 2011 13:08 GMT

Technical Details
Payload
Removal instructions

Technical Details

This malicious program demands a ransom in exchange for the content of an encrypted archive. It is a Windows application (PE EXE file) and is 5 137 408 bytes in size. It is packed using VMProtect and is written in C++.


Payload

Once launched, the Trojan creates the following system registry key:

[HKCU\Software\Stimul]
Then, the Trojan displays the following window:

After confirmation of "I agree with the rules", selection of the location for unpacking, and the "Unpack" button is pressed, the malware imitates the process of unpacking the files. At a certain stage, this process stops and the user is prompted to complete some fields in a form, then send an SMS containing the text

84***0191
to one of these payable numbers:

While sending the confirmation message, the Trojan carries out the following HTTP request:

GET /functions/sms-api/sms_from_soft.php?user_phone=
7&flow_id=1&platnik_id=0&num
=2855&pt=1 HTTP/1.1
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Host: sti***ofit.com
Cache-Control: no-cache
In response, the server sends back an integer, for example, "216".

The "Support service" link points to the resource:

http://vpoiske.sti***aball.com/support.php


Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Delete the following system registry key (see What is a system registry and how do I use it?):
    [HKCU\Software\Stimul]
  4. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: 13DB8201EA98EC0AB953AAB8111134FA
SHA1: 55A8FF534DCA8250E2B424775010516AD12B0ED1


Bookmark and Share
Share
Hoax

Programs classified as Hoax do not directly inflict any damage on the victim computer. They do send messages saying that damage has been done or will be done, or warn the user of a threat that does not actually exist. These “bad jokes” include programs that frighten users with messages about reformatting their disk (although no formatting is actually taking place), and display messages typical of viruses, etc. depending on the program author’s “sense of humor”.


Other versions

Aliases

Hoax.Win32.ArchSMS.hewm (Kaspersky Lab) is also known as:

  • Generic Malware (Panda)
  • Trojan.SMSSend.394 (DrWeb)
  • Gen:Variant.Adware.SMSHoax.14 (BitDef7)
  • Trojan.ArchSMS!1Xgia9wuHA4 (VirusBuster)
  • Win32:FraudTool-SS [Trj] (AVAST)
  • Hoax.Win32.ArchSMS (Ikarus)
  • Trojan.Gen (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Trojan.ArchSMS!1Xgia9wuHA4 (VirusBusterBeta)