[Xylitol]

http://blogs.mcafee.com/mcafee-labs/tro ... us-offense
McAfee discovered Reveton :roll:

[thisisu]

http://blogs.mcafee.com/mcafee-labs/tro ... us-offense
McAfee discovered Reveton :roll:

I thought this one was kind of unique (variant with runctf.lnk).

The ransom screen does not appear if no network connection is detected (even in Normal Mode). I'm guessing the author finds no reason for victim to type in moneypak codes if there is no internet connection to transmit the data back to himself/herself. :?

[EP_X0FF]

The ransom screen does not appear if no network connection is detected (even in Normal Mode). I'm guessing the author finds no reason for victim to type in moneypak codes if there is no internet connection to transmit the data back to himself/herself. :?

It is more simple than you think. If it cannot establish connection with C&C it is unable to download scary page and render it in browser window as the next startup stage. So this code is simple stuck in infinite wait.

[Tigzy]

Anyone got the latest version of H1N1?
It modifies a dll path of windows service among other things (unknown)

¤¤¤ Entrees de registre : 8 ¤¤¤
[STARTUP][Rans.Gendarm] runctf.lnk @christophe : C:\Windows\System32\rundll32.exe|C:\Users\CHRIST~1\wgsdgsdgdsgsd.exe,H1N1 -> SUPPRIMÉ
[HJ DLL][Rans.Gendarm] HKLM\[...]\ControlSet001\Services\winmgmt\Parameters : ServiceDll (C:\Users\christophe\wgsdgsdgdsgsd.exe) -> REMPLACÉ (C:\windows\system32\wbem\WMIsvc.dll)

[Maxstar]

Anyone got the latest version of H1N1?

I have requested some files in live topics on my forum, when I have the samples I will upload these here.
http://www.pcwebplus.nl/phpbb/viewforum.php?f=206

[Tigzy]

Thanks, Malekal told me that even with the service key removed the ransomware showed up yet.

[Maxstar]

I have not seen of heard that before, and so far as I know is this variant easy to kill.

Code: Select all

C:\Users\Steffi\wgsdgsdgdsgsd.dll (Trojan.FakeMS) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\ProgramData\dsgsdgdsgdsgw.pad (Exploit.Drop.GSA) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Steffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk (Trojan.Ransom.SUGen) -> Succesvol in quarantaine geplaatst en verwijderd.

Topic: http://www.pcwebplus.nl/phpbb/viewtopic ... 206&t=8534

Edit:
MD5: f38085e3951e0d4796d3797fa339c2ac

Code: Select all

C:\Windows\System32\rundll32.exe C:\Users\Acer\wpbt0.dll,H1N1

https://www.virustotal.com/file/cde9eda ... 356709630/

[Maxstar]

New package

Code: Select all

C:\Windows\System32\rundll32.exe c:\users\jan\wgsdgsdgdsgsd.dll,H1N1

dsgsdgdsgdsgw.js : https://www.virustotal.com/file/8a33744 ... 356715269/
wgsdgsdgdsgsearch.dll : https://www.virustotal.com/file/d208c72 ... 356715532/
dsgsdgdsgdsgw.pad : attached

[Quads]

This (attached)

The .pad file name is the reverse of the .exe file name

Quads

[Blaze]

Another one. Injects into explorer.exe and svchost.exe.

"path"="C:\\Users\\username\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\runctf.lnk"
"command"="C:\\Windows\\System32\\rundll32.exe c:\\users\\username\\appdata\\local\\temp\\wlsidten.dll,H1N1"

MD5: 868918982cb43a9c763160c30b69d09b
https://www.virustotal.com/file/2ec7b44 ... /analysis/

MD5: 81150f1afd0afa0d8f274df9b712f067
https://www.virustotal.com/file/7666908 ... /analysis/