I have encountered this virus "in the wild" four times, three times on Windows 7 systems and once on a Windows XP machine. On my latest encounter I noticed two interesting things 1) when there is no internet connection the Ransomware does not execute and 2) it only affected one user account, the user account where the malicious web site was loaded. The difference between the Windows XP and Windows 7 varations is that even though the user will see the same result on thier screen it is actully two different exploits at work. The Windows XP variation makes use of a system vulnerability whereas the Windows 7 makes use of either vulnerabilities in Adobe Flash, Adobe Acrobat, or Java. The first time, one the Windows 7 system, I didnt spend much time trying to find out how it worked I just elimated some unknown startup programs, did a virus scan and I was back in business. With XP it was on a friends PC did the same process had no luck, because the vulnerability was at the system level after a couple hours of trying i jsut decided to reinstall. With this most recent case is where I found out the most about how it works and what is going on it seems Microsoft has known about this for a while and has a nice write up on it but no immediate way to solve the problem, http://blogs.technet.com/b/mmpc/archive/2011/12/19/disorderly-conduct-localized-malware-impersonates-the-police.aspx. I found the "virus" hiding out in c:\users\"username"\appdata\locallow\java\\deployment\cache\6\ and Trend Micro detected it as JAVA_BLACOLE.SMO and the java code it was ruuning was smartypointer.class.
No comments:
Post a Comment