Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


New variant of Ukash Scam virus

  • Please log in to reply
No replies to this topic

#1 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:12:00 PM

Posted 07 May 2013 - 01:25 AM

Australian Federal Police virus (Ukash Scam) in News was deleted, so I'll post an update here.

I did battle yesterday with a new variant of the Ransomware virus: Australian Federal Police - Ukash Scam, that infected a mates laptop while he was surfing porn sites. You don't just have to be surfing porn sites to get infected.

INFO on the older variant of Australian Federal Police - Ukash Scam can be read here http://malwaretips.com/blogs/australian-federal-police-virus/


The virus killed the latest anti-virus AVAST software and installed itself as...

Hidden .Trash-999 folder on root.

Directory of \.Trash-999

05/06/2013 06:20 PM .
05/06/2013 06:20 PM ..
05/06/2013 06:20 PM info
05/06/2013 06:20 PM files

Directory of \.Trash-999\info

05/06/2013 06:20 PM .
05/06/2013 06:20 PM ..
05/07/2013 02:48 AM 118 ejh1w.js.trashinfo
05/07/2013 02:48 AM 119 ejh1w.pad.trashinfo
05/07/2013 02:42 AM 120 msconfig.lnk.trashinfo
05/07/2013 02:48 AM 122 rundll32.exe.trashinfo
05/07/2013 02:48 AM 119 w1hje.dat.trashinfo
5 File(s) 598 bytes

Directory of \.Trash-999\files

05/06/2013 06:20 PM .
05/06/2013 06:20 PM ..
05/04/2013 02:59 PM 3,133 ejh1w.js
05/06/2013 04:15 PM 95,023,320 ejh1w.pad
05/04/2013 02:56 PM 806 msconfig.lnk
05/06/2013 03:45 PM 33,280 rundll32.exe
05/04/2013 02:55 PM 159,744 w1hje.dat
5 File(s) 95,220,283 bytes

All Account Startup Folders in 'documents and settings' with msconfig.lnk

Registry Keys.

"ctfmon.exe" "azroles Module" "Microsoft Corporation" "c:\documents and settings\all users.windows\application data\w1hje.dat"
"ctfmon.exe" "azroles Module" "Microsoft Corporation" "c:\documents and settings\all users.windows\application data\rundll32.exe" "c:\documents and settings\all users.windows\application data\w1hje.dat"



Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.



BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users