Weekly Review – Ransomware on the loose

Trojan.Exploit.ANOP

This is another campaign that uses several exploits in an attempt to drive-by-download other malware on vulnerable systems, similar to Trojan.Exploit.SSX. This time, Trojan.Delf.POH is the payload. Trojan.Delf.POH monitors your browsing habits and sends the information back to its servers to produce targeted pop-up advertisements.

The exploits used in this JavaScript are:

1. iframes which lead to different versions of the Flash Player exploit
2. exploit for SSReader consisting in a buffer overflow vulnerability in the "LoadPage" function of an ActiveX control

Both exploits give the attacker the possibility to download and execute arbitrary code on the affected machine (Trojan.Delf.POH)

Trojan.Rensom.B

This e-threat is probably received via spam email as an attachement under the name skype.exe. After execution, the file drops and runs three files and displays an error message to make the user believe the file was invalid.

The dropped files are:

%windows%\lsass.exe (detected: Trojan.Rensom.B)

%windows%\services.exe (detected: Trojan.VB.NXI )

%windows%\uninstlv16.exe (detected: Trojan.Rensom.B )

services.exe and uninstlv16.exe spread the original malware infection to all available removable disks. It copies the malware with the name "Skype.exe" and creates an "autorun.inf" in order for the file to be executed when the removable disk is plugged into another computer.

lsass.exe will encrypt almost all the files on your hard drive (except the critical system files). Meanwhile it will display a ransom note, asking the user to pay a small fee in order to recover his files.

Information in this article is available courtesy of BitDefender virus researchers: Daniel Chipiristeanu, Adrian Stefan Popescu