Tuesday, July 3, 2012

FBI Ransomware

This infection is called Reveton and is classified as Ransomware. It locks the screen in normal mode and tells you that if you pay some money ($100 US) in the form of a MoneyPak to unlock the PC. This can be defeated very easily. First, you need to boot into safe mode so that the rogue does not launch. Next, locate the startup folder in your start menu and look for a shortcut marked "ctfmon". This file has the same icon as the real ctfmon, but launches a shortcut that looks like this:

%systemroot%\system32\rundll32.exe C:\users\<UserName>\AppData\Local\Temp\er_00_0_1.exe

Just delete the shortcut and the exe located in the temp folder and that part has been taken care of. Several of these infections have had a rootkit installed on the system as well. The one that I have seen the most with it is SST. SST has recently been updated and TDSSKiller no longer finds it when scanning with normal parameters. You should always run TDSSKiller with the "Detect TDLFS" option checked when working on a PC that has Reveton.

Make sure that you have the option pictured above checked before running the scan. You will see a result that looks like this:

Select the "delete" option once you have found this and reboot. Run the scan again to ensure that the rootkit has been removed entirely. If it has not, repeat the above steps until it is gone.

No comments:

Post a Comment