Another Trojan and Web Studio

    Another post-indignation.

    Today a familiar situation happened to me. Call, please help with a computer. The reason is also commonplace: the link in ICQ opened and "everything stopped working." On the computer is Opera and Doctor Web, because somehow it became uncomfortable. It’s a cruel beast.

    He began to understand. Painfully known "Your system is locked", please pay money via SMS. Well, yes, now, I ran.

    image

    Although the post is not about trojans, I will nevertheless describe the treatment process, just in case, suddenly someone comes in handy. The message was the following: “You are using unlicensed software”, in order to continue using it, send the message o501om to number 6008. Nevertheless

    , beauty, I thought, put a pirated Windows, sent SMS and work.

    The system did not react to any of my actions. 5 times it didn’t work with a shift , Win + U didn’t do anything. In general, the previous tips fell away.

    Solutions


    Saved the boot in safe mode with command line support, the launch of the explorer and registry editor from this command line. The registry key corrected was HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon. The Shell parameter value was clearly left. Actually, the path there was registered to the “parasitic" file, which was successfully deleted (along with a couple more left files in the windows folder). Well, it was necessary to return Shell to its original position. That is, set the value to “Explorer”

    . Also, the Trojan forbade the task manager to be called, which is easily edited in the HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System branch of the DisableTaskMgr parameter (set to 0).

    By the way, Dr. Web (as far as I know), did not suspect anything and didn’t pickle even once.

    And what's inside?


    Duck, I’m not talking about that. I was wondering what kind of beast I got. Curiosity took. And now at home, armed with a virtual machine and firebags, he climbed to understand.

    The link was like this:
    http: //******/**/chototam.gif

    Well, yes. GIF We open the gif, we immediately see the redirect to
    http: //******/**/chototam.gif/,
    which in turn gives the header
    Content-Disposition: attachment; filename = "foto20.src"

    Well, then, the offer to download. Download a nice little file with the ala ACC icon 5. I didn’t start it anymore, since in principle the result is known, and picking in hexes does not have enough knowledge in this area.

    Verdict


    Actually what surprised. Website address: altein.ru. It hurts something familiar. I went in carefully, and I looked - Ba! - Website development Ekaterinburg. That's where I did not expect to see so in such a place. Well, I think, here and then trust them to develop sites, if ftp from your sites is unclear how they are stored. If even they can’t save from their site.

    By the way, the site itself did not contain signs of something bad (although I looked through it fluently): neither iframes nor javascripts there. And the most interesting thing is that neither Dr. Web nor Kaspersky cursed either the site itself, or the page with the trojan, or the trojan itself (!), Which I carefully uploaded to their sites for verification.

    So, actually, what I want to say. It became a shame. Even triple. At first, it became a shame for the fact that there are such goats who send out all kinds of nonsense and insolently ask for money, it’s a shame that people are doing this (and what’s their way out if there isn’t a familiar “specialist”?) And it’s a shame that there are such offices that themselves make sites, and make a lot of them, and they themselves are so careless about information and passwords.

    It's a shame for people. What a deception, not only on the part of “evil hackers”, but also on the part of a seemingly large studio: they make sites, but they themselves ... And they sell well. And they shout that "our sites are the safest blah blah blah." Yeah, nowhere is safer.

    PS Predicting a question. Yes, a letter with a request to check your site, I immediately wrote to that company.


    Also popular now: