
Security researcher MalwareHunter discovered today a new malware that he initially believed to be ransomware but ended up being just another annoying piece of junk that falls in the category of trollware, also known as crapware.
This piece of software, appropriately named "Cancer," doesn't destroy any files like ransomware, but merely makes your computer go bonkers by playing annoying music, blocking access to several applications, moving your windows and images across your screen, and popping up all sorts of windows out of nowhere.
This malware is what some security experts would call trollware, malware made with the sole purpose of annoying users and making their computer unusable.
Past examples include CainXPiiCleaner, discovered by GData malware analyst Karsten Hahn last November.
Breaking down Cancer
Digging into Cancer's source code, which was deobufscated by MalwareHunter, and analyzed by him and Bleeping Computer's resident malware analyst Lawrence Abrams, we can break down some of its "features."
First and foremost, running Cancer triggers a network request to the following URL, where the malware registers with its author. This connection is currently displaying an error, which is typically caused by a broken PHP script, so it is unknown if the server is actually properly recording victims.
http://hostingonline.desi/register.php?ref=3625708941

Following this initial step, Cancer will look for and shut down any OS processes that contains any of the following strings:
vmtools,cheatengine,debug,dumpcap,regshot,SandboxieRpcSs,SandboxieDcomLaunch,Sandboxie,OllyDbg,IDAq,monitor,debug,dbg,vmtool,vmware,malwarebytes,antivirus,malware,anti,secure,cheat,engine,immunity,shark,spy,hunter,av,qihoo,eset,nod,avast,f-secure,secur,protect,idaq,strike,falcon,avira,norton,quard,zone,alarm,kasp,avg,clam,panda,cloud,comodo,defend,root

Having made sure no one can detect or stop it, this is when Cancer starts (figurately) giving cancer to your PC by starting its annoying behavior. Since there are no appropriate words that could describe the madness, we leave you with the video below:
One thing that you can't pick up from the video above is the fact that Cancer will rename your C: drive as "CANCERRRRRRRRRRRRRRRRRRRRRRRRR".

A deeper look at Cancer's source code also reveals clues about this crapware's author, as detailed below:
contact info:
base.Load += new EventHandler(this.Box_Load);
this.string_0 = "HELLO.\r\nI HAVE SOMETHING YOU MUST REMEMBER IF YOU WANT TO TALK...\r\n\r\nEmail: arran.bishop89@aol.com\r\nSkype: jquery.finland\r\nXMPP: jqueryxmpp@exploit.im\r\nWebsite: https://hack.chat?programming\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n";

At the time of writing, we couldn't get in touch with Cancer's creator to inquire more details on why "this" exists.
Since Cancer also gains boot persistence and autostarts even in Safe Mode, removing it from infected hosts is extremely difficult. We're currently working on a removal guide that will help the poor souls infected with this garbage, and a link will be added to the article in the following days.
Cancer SHA256
ed8761e11d819e6794cbcf9b9661f316ff5cc8bdbf8dfca614fb555ec228fd71
Comments
Angoid - 7 years ago
How horrible. And insensitive. Whoever wrote that garbage ought to be sectioned.
TheDcoder - 7 years ago
At least your files are safe...
ProTruckDriver - 7 years ago
What kind of sick mind would ever come up with this type of crapware? People with cancer, like myself don't have to be reminded that we have it and are fighting every day to stay alive. This is very insensitive to all cancer patients.
campuscodi - 7 years ago
Most malware authors are small sociopaths. I don't think they care about cancer patients.
not_the_nsa - 7 years ago
Does anybody has a sha1 hash or some downloadlink for this executable? I want to analyse it.
TheDcoder - 7 years ago
What would you do with a SHA1 hash?
not_the_nsa - 7 years ago
Search in malware-databases like https://avcaesar.malware.lu/ if the sample is there. Unfortunately I did not found the sample yet.
TheDcoder - 7 years ago
Do they allow downloading of samples submitted? Or are you a special user capable of doing that? :P
not_the_nsa - 7 years ago
I don't know yet. Every side I searched until now says the hash is not in database. I find the analysis of the file at https://www.virustotal.com/en/file/ed8761e11d819e6794cbcf9b9661f316ff5cc8bdbf8dfca614fb555ec228fd71/analysis/ but I was not able to find a sample yet.
TheDcoder - 7 years ago
I don't think you can download samples from Online Virus Scanners...