Hoax.Win32.ArchSMS.pin

Technical Details

This malicious program demands a ransom in exchange for the content of an encrypted archive, which users believe contains a file that they need. It is a Windows application (PE EXE file). It is 1 212 425 bytes in size. It is written in C++.

Payload

Once launched, the Trojan performs the following actions:

• It creates the following system registry keys:

  

• It changes Internet Explorer's home page by setting the following system registry key values:

  [HKLM\Software\Microsoft\Internet Explorer\Main]
  "Default_Page_URL"="http://www.sm***xi.net"
  "Start Page"="http://www.sm***xi.net"
  
  [HKCU\Software\Microsoft\Internet Explorer\Main]
  "Default_Page_URL"="http://www.sm***xi.net"
  "Start Page"="http://www.sm***xi.net"
  

• It creates the following file in its working directory:

  %WorkDir%\xsendexe.tmp

  and writes the following string into it:

  est

  The Trojan displays the following window:

  

  After confirmation of "I agree with the rules", selection of the location for unpacking, and the "Unpack" button is pressed, the malware imitates the process of unpacking the files. At a certain stage, this process stops and the user is prompted to complete some fields in a form, then send an SMS:

  

  For other countries it requests the user to send an SMS with the text:

  43***04

  The country and the number to which the SMS must be sent are shown below:

  Austria 0930399999
  Belgium         7796
  Bulgaria        1098
  Czech Republic          9090199
  Germany 80888
  Denmark         1945
  Estonia 17013
  Spain   5339
  Finland 179479
  France  83868
  Hungary 90645045
  Kyrgyzstan      1171
  Lithuania               1645
  Latvia          1874
  Netherlands     7117
  Norway  2322
  Poland          7910
  Portugal        68305
  Sweden          72170
  

  For Ukraine, an SMS must be sent with the text:

  77***01

  to the number:

  4161

  While sending the confirmation message, the Trojan carries out the following HTTP request:

  GET /pass_request/?guid=3de9581b497e3ea0b9c822735a719b00
  &parid=0&xnum=
  &xid=&nomer=+7<telephone number>m=zb&fn=&xtime=
  <rnd1>&lp=<rnd2> HTTP/1.1
  Accept: */*
  Cache-Control: no-cache
  User-Agent: Opera 10
  Host: wlnrar-auth4.net
  Connection: Keep-Alive
  

  where <rnd1> - is a random sequence of numbers that is five characters long; <rnd2> -is a random sequence of numbers and Latin letters. In response, the server sends back an integer, for example, "899".

Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

1. Use Task Manager to terminate the Trojan process.
2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
3. Delete the following file:

   %WorkDir%\xsendexe.tmp

4. Delete the system registry keys (What is a system registry and how do I use it?):

   

5. Restore the original system registry key values (What is a system registry and how do I use it?):

   [HKLM\Software\Microsoft\Internet Explorer\Main]
   "Default_Page_URL"="http://www.sm***xi.net"
   "Start Page"="http://www.sm***xi.net"
   
   [HKCU\Software\Microsoft\Internet Explorer\Main]
   "Default_Page_URL"="http://www.sm***xi.net"
   "Start Page"="http://www.sm***xi.net"
   

6. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).