fake FBI Ransomware
Page 1 of 1
fake FBI Ransomware
by Admin Thu Nov 14, 2013 12:48 am
ake FBI Ransomware
by Deepak » Mon Jan 14, 2013 3:50 pm
Signs & Symptoms
In normal mode, user's desktop is locked with a full-screen warning from the FBI, etc.
Task manager and registry editor are disabled.
System hotkeys are disabled to avoid the trojan's termination. For example Alt+F4, Alt+Tab, Ctrl+Esc, Win+D, Win+R, etc, even commands pushed from Ninjato.
The autorun will typically be ctfmon.lnk located in the user's start menu Startup folder or an autorun located in the registry.
If the infection is loaded by a rundll32.exe command, tools such as Autoruns.exe might not show the autorun if Microsoft items are filtered out.
The malware process will typically be located at %temp% or %programdata% but can be elsewhere.
A single or multiple user profiles may be affected.
Important Information
1. We can connect in SMWN(Safe Mode With Networking)
2. We can't connect in SMWN
Connected in SMWN (Safe Mode With Networking)
Fix Steps
1. Boot into Safe Mode with Networking.
2. Open Autoruns in Admin mode (right mouse click on it and "Run As Administrator")
3. Hit escape immediately to stop the scanning.
4. Go to Options > Filter Options and verify that Hide Windows Entries and Hide Microsoft Entries are unchecked.
5. Ensure that Verify code signatures is checked.
6. Hit F5 to restart the scan.
7. Look for any and all of the following:
>ctfmon.lnk (look in the last column - Image Path - to see what it points to. If it points to anything other than C:\WINDOWS\system32\ctfmon.exe, make a note of what it is, then delete the .lnk entry, and the file on disk - it cannot be unchecked.)
> Any application or other .lnk file that points to (last column) anything in:
\appdata\*.*
\temp\*.* (especially anything ending with .dll)
\*.dat
C:\users\<username>
\AppData\Roaming\hellomoto
\Programdata\*.*
\Appdata\local\Microsoft\Windows\<4 digit # that is NOT 1033 or 1032>
C:\Documents and Settings\All Users\Application Data\lsass.exe
C:\Users\All Users\lsass.exe
C:\Programdata\lsass.exe
rundll32.exe with additional parameters pointing to anything above
skype.dat
8. Uncheck anything noted above
9. F5 and check to see if anything you unchecked is rechecked.
10. If something rechecks itself:
--> Note the path of the thing that's rechecked
--> Open PE in administrator mode. (Do not close AR first)
--> Find the name of the thing that rechecked itself
--> Right click on it and "Kill Process"
--> Go back to AR, uncheck it again and F5
--> If it rechecks itself again, escalate to TL immediately
11. Reboot into Normal Mode
12. Check for reinfection.
Run MBAM to clean reminants (Do NOT run MBAM in Safe Mode!!!)
Cannot connect in SMWN (Safe Mode With Networking)
Fix Steps
Get user/rep to boot into Safe Mode with Command Prompt (SMCP)
When at the CP Window, get the other end to type these commands:
Net user temp /add
Net localgroup administrators temp /add
Reboot into SMWN
log into "Temp" account
Attempt to connect
If you still can't connect at this point, you must alert the customer/rep that this machine must go for OSRI (Operating System Re-Installation).
For Reference: http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
by Deepak » Mon Jan 14, 2013 3:50 pm
Signs & Symptoms
In normal mode, user's desktop is locked with a full-screen warning from the FBI, etc.
Task manager and registry editor are disabled.
System hotkeys are disabled to avoid the trojan's termination. For example Alt+F4, Alt+Tab, Ctrl+Esc, Win+D, Win+R, etc, even commands pushed from Ninjato.
The autorun will typically be ctfmon.lnk located in the user's start menu Startup folder or an autorun located in the registry.
If the infection is loaded by a rundll32.exe command, tools such as Autoruns.exe might not show the autorun if Microsoft items are filtered out.
The malware process will typically be located at %temp% or %programdata% but can be elsewhere.
A single or multiple user profiles may be affected.
Important Information
1. We can connect in SMWN(Safe Mode With Networking)
2. We can't connect in SMWN
Connected in SMWN (Safe Mode With Networking)
Fix Steps
1. Boot into Safe Mode with Networking.
2. Open Autoruns in Admin mode (right mouse click on it and "Run As Administrator")
3. Hit escape immediately to stop the scanning.
4. Go to Options > Filter Options and verify that Hide Windows Entries and Hide Microsoft Entries are unchecked.
5. Ensure that Verify code signatures is checked.
6. Hit F5 to restart the scan.
7. Look for any and all of the following:
>ctfmon.lnk (look in the last column - Image Path - to see what it points to. If it points to anything other than C:\WINDOWS\system32\ctfmon.exe, make a note of what it is, then delete the .lnk entry, and the file on disk - it cannot be unchecked.)
> Any application or other .lnk file that points to (last column) anything in:
\appdata\*.*
\temp\*.* (especially anything ending with .dll)
\*.dat
C:\users\<username>
\AppData\Roaming\hellomoto
\Programdata\*.*
\Appdata\local\Microsoft\Windows\<4 digit # that is NOT 1033 or 1032>
C:\Documents and Settings\All Users\Application Data\lsass.exe
C:\Users\All Users\lsass.exe
C:\Programdata\lsass.exe
rundll32.exe with additional parameters pointing to anything above
skype.dat
8. Uncheck anything noted above
9. F5 and check to see if anything you unchecked is rechecked.
10. If something rechecks itself:
--> Note the path of the thing that's rechecked
--> Open PE in administrator mode. (Do not close AR first)
--> Find the name of the thing that rechecked itself
--> Right click on it and "Kill Process"
--> Go back to AR, uncheck it again and F5
--> If it rechecks itself again, escalate to TL immediately
11. Reboot into Normal Mode
12. Check for reinfection.
Run MBAM to clean reminants (Do NOT run MBAM in Safe Mode!!!)
Cannot connect in SMWN (Safe Mode With Networking)
Fix Steps
Get user/rep to boot into Safe Mode with Command Prompt (SMCP)
When at the CP Window, get the other end to type these commands:
Net user temp /add
Net localgroup administrators temp /add
Reboot into SMWN
log into "Temp" account
Attempt to connect
If you still can't connect at this point, you must alert the customer/rep that this machine must go for OSRI (Operating System Re-Installation).
For Reference: http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/
Admin- Admin
- Posts : 181
Join date : 2013-11-13 -
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|