Tuesday, May 22, 2012

New variant of Zeus includes ransomware.

Ransomware is quickly becoming one of the more popular malware features. It encrypts all the users files, disabling them from doing anything unless a certain sum of money is sent to a specified account, usually via liberty reserve. A new Zeus variant has been discovered that also has this feature. Some of the code is shown below in Figure 1.
Figure 1
While this is dangerous, and probably still not yet fully implemented, it is very simple to unlock your computer. Once you make the payment, a new registry entry is created that prompts Zeus to un-encrypt your files. This makes it quite simple to remove the encryption. Here are steps to follow.


1. boot the system in safe mode
2. add a new key named syscheck under HKEY_CURRENT_USER
3. create a new DWORD value under the syscheck key
4. set the name of the new DWORD value to Checked
5. set the data for the Checked value to 1
6. reboot

This should cause Zeus to un-encrypt all your files and you can remove it from there (simply run a virus scan using something like: Norton AntiVirus 2012 or Malwarebytes Anti-Malware

thanks for reading, remember to comment on what I should post next.
credits to The Hacker News for images and un-encryption steps and research data
Posted by at
Labels: , , , , , , , ,

2 comments:

  1. x9090Wednesday, May 30, 2012 at 1:54:00 PM PDT

    Please remember to credit the article or blog that you are referring to, http://www.f-secure.com/weblog/archives/00002367.html

    I noticed that you also refer to Sophos ZeroAccess article.

    ReplyDelete
  2. JBolsenzWednesday, May 30, 2012 at 5:28:00 PM PDT

    I actually got all of this information from a forum and The Hacker News

    ReplyDelete

Subscribe to: Post Comments (Atom)