Hoax.Win32.ArchSMS.ong

Technical Details

This malicious program demands a ransom in exchange for the content of an encrypted archive, which users believe contains a file that they need. It is a Windows application (PE EXE file) and is 1 191 936 bytes in size. It is written in C++.

Installation

To ensure that its original file is launched automatically each time the system is rebooted, the Trojan creates the following system registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winxrar" = ""<full path to original Trojan file>" autostart"

Payload

Once launched, the Trojan carries out the following actions:

• It creates the following system registry keys:

  [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}
  \InprocServer32]
  "(Default)" = "%System%\scrrun.dll"
  "ThreadingModel" = "Both"
  
  [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\ProgID]
  "(Default)" = "Scripting.FileSystemObject"
  
  [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\TypeLib]
  "(Default)" = "{420B2830-E718-11CF-893D-00A0C9054228}"
  
  [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\Version]
  "(Default)" = "1.0"
  
  [HKLM\Software\Licenses]
  "{I72A1C76714CAA996}" = "01 00 00 00"
  
  [HKCU\Software\winxrar]
  "exerunner" = "was"
  "runcounter" = 
  

• It changes Internet Explorer's home page by setting the following system registry key values:

  [HKLM\Software\Microsoft\Internet Explorer\Main]
  "Default_Page_URL" = "http://www.sm***xi.net"
  "Start Page" = "http://www.sm***xi.net"
  
  [HKCU\Software\Microsoft\Internet Explorer\Main]
  "Default_Page_URL" = "http://www.sm***xi.net"
  "Start Page" = "http://www.sm***xi.net"
  

• It creates the following file in its working directory:

  %WorkDir%\xsendexe.tmp

  and writes the following string into it:

  est

• The malware downloads elements for displaying its main window from this server:

  wlnr***th4.net

  At the time of writing, the server was not working, so the window was displayed with this appearance.

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Use Task Manager to terminate the Trojan process.
2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
3. Delete the following file:

   %WorkDir%\xsendexe.tmp

4. Delete the following system registry keys (see What is a system registry and how do I use it?):

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "winxrar" = ""<full path to original Trojan file>" autostart"
   
   [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\
   InprocServer32]
   "(Default)" = "%System%\scrrun.dll"
   "ThreadingModel" = "Both"
   
   [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\ProgID]
   "(Default)" = "Scripting.FileSystemObject"
   
   [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\TypeLib]
   "(Default)" = "{420B2830-E718-11CF-893D-00A0C9054228}"
   
   [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\Version]
   "(Default)" = "1.0"
   
   [HKLM\Software\Licenses]
   "{I72A1C76714CAA996}" = "01 00 00 00"
   
   [HKCU\Software\winxrar]
   "exerunner" = "was"
   "runcounter" = <malware launch counter>
   

5. Restore the original system registry key values (What is a system registry and how do I use it?):

   [HKLM\Software\Microsoft\Internet Explorer\Main]
   "Default_Page_URL" 
   "Start Page" 
   
   [HKCU\Software\Microsoft\Internet Explorer\Main]
   "Default_Page_URL" 
   "Start Page" 
   

6. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: 50886C55EFEB926FA5366AB97C8F6AFA
SHA1: 3B67AD4A1D95D8D1FFC27D3E105A36EA6CAB9C2C