|Detected||Feb 25 2011 07:11 GMT|
|Released||Feb 25 2011 16:26 GMT|
|Published||Mar 16 2011 13:08 GMT|
This malicious program demands a ransom in exchange for the content of an encrypted archive. It is a Windows application (PE EXE file) and is 5 137 408 bytes in size. It is packed using VMProtect and is written in C++.
Once launched, the Trojan creates the following system registry key:
[HKCU\Software\Stimul]Then, the Trojan displays the following window:
After confirmation of "I agree with the rules", selection of the location for unpacking, and the "Unpack" button is pressed, the malware imitates the process of unpacking the files. At a certain stage, this process stops and the user is prompted to complete some fields in a form, then send an SMS containing the text
84***0191to one of these payable numbers:
While sending the confirmation message, the Trojan carries out the following HTTP request:
GET /functions/sms-api/sms_from_soft.php?user_phone= 7In response, the server sends back an integer, for example, "216".
&flow_id=1&platnik_id=0&num =2855&pt=1 HTTP/1.1 User-Agent: Mozilla/3.0 (compatible; Indy Library) Host: sti***ofit.com Cache-Control: no-cache
The "Support service" link points to the resource:
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
Programs classified as Hoax do not directly inflict any damage on the victim computer. They do send messages saying that damage has been done or will be done, or warn the user of a threat that does not actually exist. These “bad jokes” include programs that frighten users with messages about reformatting their disk (although no formatting is actually taking place), and display messages typical of viruses, etc. depending on the program author’s “sense of humor”.