One of the images found embedded in the Cancer trollware
One of the images found embedded in the Cancer trollware

Security researcher MalwareHunter discovered today a new malware that he initially believed to be ransomware but ended up being just another annoying piece of junk that falls in the category of trollware, also known as crapware.

This piece of software, appropriately named "Cancer," doesn't destroy any files like ransomware, but merely makes your computer go bonkers by playing annoying music, blocking access to several applications, moving your windows and images across your screen, and popping up all sorts of windows out of nowhere.

This malware is what some security experts would call trollware, malware made with the sole purpose of annoying users and making their computer unusable.

Past examples include CainXPiiCleaner, discovered by GData malware analyst Karsten Hahn last November.

Breaking down Cancer

Digging into Cancer's source code, which was deobufscated by MalwareHunter, and analyzed by him and Bleeping Computer's resident malware analyst Lawrence Abrams, we can break down some of its "features."

First and foremost, running Cancer triggers a network request to the following URL, where the malware registers with its author. This connection is currently displaying an error, which is typically caused by a broken PHP script, so it is unknown if the server is actually properly recording victims.

http://hostingonline.desi/register.php?ref=3625708941

Cancer C&C request feature

Following this initial step, Cancer will look for and shut down any OS processes that contains any of the following strings:

vmtools,cheatengine,debug,dumpcap,regshot,SandboxieRpcSs,SandboxieDcomLaunch,Sandboxie,OllyDbg,IDAq,monitor,debug,dbg,vmtool,vmware,malwarebytes,antivirus,malware,anti,secure,cheat,engine,immunity,shark,spy,hunter,av,qihoo,eset,nod,avast,f-secure,secur,protect,idaq,strike,falcon,avira,norton,quard,zone,alarm,kasp,avg,clam,panda,cloud,comodo,defend,root

Cancer process-killing feature

Having made sure no one can detect or stop it, this is when Cancer starts (figurately) giving cancer to your PC by starting its annoying behavior. Since there are no appropriate words that could describe the madness, we leave you with the video below:

One thing that you can't pick up from the video above is the fact that Cancer will rename your C: drive as "CANCERRRRRRRRRRRRRRRRRRRRRRRRR".

Cancer renaming C: drive

A deeper look at Cancer's source code also reveals clues about this crapware's author, as detailed below:

contact info:
    base.Load += new EventHandler(this.Box_Load);
        this.string_0 = "HELLO.\r\nI HAVE SOMETHING YOU MUST REMEMBER IF YOU WANT TO TALK...\r\n\r\nEmail:  arran.bishop89@aol.com\r\nSkype:  jquery.finland\r\nXMPP:  jqueryxmpp@exploit.im\r\nWebsite:  https://hack.chat?programming\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n";

Contact info

At the time of writing, we couldn't get in touch with Cancer's creator to inquire more details on why "this" exists.

Since Cancer also gains boot persistence and autostarts even in Safe Mode, removing it from infected hosts is extremely difficult. We're currently working on a removal guide that will help the poor souls infected with this garbage, and a link will be added to the article in the following days.

Cancer SHA256

ed8761e11d819e6794cbcf9b9661f316ff5cc8bdbf8dfca614fb555ec228fd71

 

Related Articles:

Hackers abuse Avast anti-rootkit driver to disable defenses

Hackers abuse popular Godot game engine to infect thousands of PCs

Phishing emails increasingly use SVG attachments to evade detection

Botnet exploits GeoVision zero-day to install Mirai malware

New Glove infostealer malware bypasses Chrome’s cookie encryption