Swiss Star: extortion virus is a new variant after the poisoning 1 0 5 4 full file encryption-vulnerability warning-the black bar safety net

ID MYHACK58:62201680819
Type myhack58
Reporter 佚名
Modified 2016-11-02T00:00:00


Recently, the rising“cloud security”system intercepted a new type of blackmail Virus, the virus encrypts files up to 1 0 5 4, file Unified encryption for. encrypted format, thus a ransom of 1 bitcoin(about RMB 4 5 0 0 Yuan). If the user is not within the prescribed time hack payment, the encrypted files will never be recovered. At present, rising antivirus software, rising enterprise Endpoint Security Management System Software and other personal and corporate security products can be on the virus for killing.


Figure: blackmail message

Rising security experts recommend:

1, regular backups of system and important files, and offline storage independent of the device;

2, The use of a professional e-mail and network security tool that can analyze e-mail attachments, web pages, whether the file comprises malware with sandbox features;

3, Using the professional anti-virus software, protection systems, and timely updates;

4, do not open suspicious mail and suspicious websites and suspicious links;

5, often to theoperating system, equipment and third-party software updates, vulnerability patches;

6, do not access and use the unsolicited network shares and removable media;

7, Setting Up network security isolation area, to ensure that even if the infection is not easily spread;

8, for BYOD is set the same or higher level security policy;

9, to strengthen the employee(user)security awareness training, do not easily download the file, email attachment or mail in an unidentified link;

1 0, found suspicious file promptly reported to the virus center.

Next, the rising of Experts on this new blackmail virus running processes to conduct a comprehensive analysis:

First, the virus will decrypt the follow-up to use some of the data, such as: to the encrypted file type, the encryption after the file extension, extortion message.


Figure: part of the file type

Then, the virus starts detecting the running environment is a virtual environment, 也就是检测环境中是否有VBoxService.exe and vmtoolsd.exe and wireshark.exe and Ollydbg. exe process exists, the operating environment is VirtualBox, VMWare, Virtual_pc, And Anubis, etc., if detected,“Yes”, then the virus process to exit no longer perform the encryption operation. This behavior is a virus writer for anti-debugging the design, The purpose is for virus analysis to manufacturing difficulties.


Figure: virus detected running environment

Check the registry HKEY_CURRENT_USER\Software\Globe\idle key value is “YES”, if it is said that it has infected the machine, then the virus process to exit no longer perform the encryption operation.


Figure: virus detected registry

The use of Rwanda. exe execute JavaScript script to add from the start.


Figure: the virus is added from the start

Delete the system restore the backup, shut down the system self-healing options, so that the poisoning of the users cannot use the system restore point to restore.


Figure: delete the System Restore backup

Use the QueryPerformanceCounter function to generate a random value, and use this random value to initialize the encryption algorithm.



Figure: initialization of the encryption algorithm

Next, traversing local disk, shared folders etc to encrypt all kinds of files, and the directory is released under the blackmail the tips document How to restore files. hta


Figure: the encrypted files and blackmailed the document

To modify the registry to change the desktop background


Figure: the virus changed the desktop

Finally, set the extortion of information from the startup items, so that every time you boot up will pop up the blackmail message, and do good, indicates that the machine has been infected.