English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Hoax.Win32.ArchSMS.ong

Detected Feb 05 2011 08:56 GMT
Released Feb 05 2011 13:42 GMT
Published Mar 16 2011 13:44 GMT

Technical Details
Payload
Removal instructions

Technical Details

This malicious program demands a ransom in exchange for the content of an encrypted archive, which users believe contains a file that they need. It is a Windows application (PE EXE file) and is 1 191 936 bytes in size. It is written in C++.

Installation

To ensure that its original file is launched automatically each time the system is rebooted, the Trojan creates the following system registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winxrar" = ""<full path to original Trojan file>" autostart"


Payload

Once launched, the Trojan carries out the following actions:

  • It creates the following system registry keys:
    [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}
    \InprocServer32]
    "(Default)" = "%System%\scrrun.dll"
    "ThreadingModel" = "Both"
    
    [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\ProgID]
    "(Default)" = "Scripting.FileSystemObject"
    
    [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\TypeLib]
    "(Default)" = "{420B2830-E718-11CF-893D-00A0C9054228}"
    
    [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\Version]
    "(Default)" = "1.0"
    
    [HKLM\Software\Licenses]
    "{I72A1C76714CAA996}" = "01 00 00 00"
    
    [HKCU\Software\winxrar]
    "exerunner" = "was"
    "runcounter" = 
    
  • It changes Internet Explorer's home page by setting the following system registry key values:
    [HKLM\Software\Microsoft\Internet Explorer\Main]
    "Default_Page_URL" = "http://www.sm***xi.net"
    "Start Page" = "http://www.sm***xi.net"
    
    [HKCU\Software\Microsoft\Internet Explorer\Main]
    "Default_Page_URL" = "http://www.sm***xi.net"
    "Start Page" = "http://www.sm***xi.net"
    
  • It creates the following file in its working directory:
    %WorkDir%\xsendexe.tmp
    and writes the following string into it:
    est
  • The malware downloads elements for displaying its main window from this server:
    wlnr***th4.net
    At the time of writing, the server was not working, so the window was displayed with this appearance.


Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Delete the following file:
    %WorkDir%\xsendexe.tmp
  4. Delete the following system registry keys (see What is a system registry and how do I use it?):
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "winxrar" = ""<full path to original Trojan file>" autostart"
    
    [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\
    InprocServer32]
    "(Default)" = "%System%\scrrun.dll"
    "ThreadingModel" = "Both"
    
    [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\ProgID]
    "(Default)" = "Scripting.FileSystemObject"
    
    [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\TypeLib]
    "(Default)" = "{420B2830-E718-11CF-893D-00A0C9054228}"
    
    [HKCR\CLSID\{7E0F3F10-7B69-8C21-EE01-70DABCF57934}\Version]
    "(Default)" = "1.0"
    
    [HKLM\Software\Licenses]
    "{I72A1C76714CAA996}" = "01 00 00 00"
    
    [HKCU\Software\winxrar]
    "exerunner" = "was"
    "runcounter" = <malware launch counter>
    
  5. Restore the original system registry key values (What is a system registry and how do I use it?):
    [HKLM\Software\Microsoft\Internet Explorer\Main]
    "Default_Page_URL" 
    "Start Page" 
    
    [HKCU\Software\Microsoft\Internet Explorer\Main]
    "Default_Page_URL" 
    "Start Page" 
    
  6. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: 50886C55EFEB926FA5366AB97C8F6AFA
SHA1: 3B67AD4A1D95D8D1FFC27D3E105A36EA6CAB9C2C


Bookmark and Share
Share
Hoax

Programs classified as Hoax do not directly inflict any damage on the victim computer. They do send messages saying that damage has been done or will be done, or warn the user of a threat that does not actually exist. These “bad jokes” include programs that frighten users with messages about reformatting their disk (although no formatting is actually taking place), and display messages typical of viruses, etc. depending on the program author’s “sense of humor”.


Other versions