Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New variant of Ukash Scam virus


  • Please log in to reply
No replies to this topic

#1 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:40 PM

Posted 07 May 2013 - 01:25 AM

Australian Federal Police virus (Ukash Scam) in News was deleted, so I'll post an update here.

I did battle yesterday with a new variant of the Ransomware virus: Australian Federal Police - Ukash Scam, that infected a mates laptop while he was surfing porn sites. You don't just have to be surfing porn sites to get infected.

INFO on the older variant of Australian Federal Police - Ukash Scam can be read here http://malwaretips.com/blogs/australian-federal-police-virus/

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

The virus killed the latest anti-virus AVAST software and installed itself as...

Hidden .Trash-999 folder on root.

Directory of \.Trash-999

05/06/2013 06:20 PM .
05/06/2013 06:20 PM ..
05/06/2013 06:20 PM info
05/06/2013 06:20 PM files


Directory of \.Trash-999\info

05/06/2013 06:20 PM .
05/06/2013 06:20 PM ..
05/07/2013 02:48 AM 118 ejh1w.js.trashinfo
05/07/2013 02:48 AM 119 ejh1w.pad.trashinfo
05/07/2013 02:42 AM 120 msconfig.lnk.trashinfo
05/07/2013 02:48 AM 122 rundll32.exe.trashinfo
05/07/2013 02:48 AM 119 w1hje.dat.trashinfo
5 File(s) 598 bytes


Directory of \.Trash-999\files

05/06/2013 06:20 PM .
05/06/2013 06:20 PM ..
05/04/2013 02:59 PM 3,133 ejh1w.js
05/06/2013 04:15 PM 95,023,320 ejh1w.pad
05/04/2013 02:56 PM 806 msconfig.lnk
05/06/2013 03:45 PM 33,280 rundll32.exe
05/04/2013 02:55 PM 159,744 w1hje.dat
5 File(s) 95,220,283 bytes


All Account Startup Folders in 'documents and settings' with msconfig.lnk

Registry Keys.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" "azroles Module" "Microsoft Corporation" "c:\documents and settings\all users.windows\application data\w1hje.dat"
"ctfmon.exe" "azroles Module" "Microsoft Corporation" "c:\documents and settings\all users.windows\application data\rundll32.exe" "c:\documents and settings\all users.windows\application data\w1hje.dat"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt\Parameters]
"ServiceDll"="C:\\DOCUME~1\\ALLUSE~1.WIN\\APPLIC~1\\w1hje.dat"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\winmgmt\Parameters]
"ServiceDll"="C:\\DOCUME~1\\ALLUSE~1.WIN\\APPLIC~1\\w1hje.dat"
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users