Archive

Archive for the ‘worm’ Category

Link (.lnk) to Ransom

May 27th, 2016 No comments

We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.

 

Infection vector

Ransom:Win32/ZCryptor.A  is distributed through the spam email infection vector. It also gets installed in your machine through other macro malware*, or fake installers (Flash Player setup).

Once ZCryptor is executed, it will make sure it runs at start-up:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

zcrypt = {path of the executed malware}

 

It also drops autorun.inf in removable drives, a zycrypt.lnk in the start-up folder:

%User Startup%zcrypt.lnk

..along with a copy of itself as {Drive}:system.exe and %appdata%zcrypt.exe, and changes the file attributes to hide itself from the user in file explorer.

For example: c:usersadministratorappdataroamingzcrypt.exe

Payload

This ransomware will display the following ransom note to users in a dropped HTML file How to decrypt files.html:

Screenshot of Win32/ZCryptor.A  ransom note

 

It will also target, encrypt files with the following extension, and change the file extension to .zcrypt once it is done (for example,<originalfilename.zcrypt>):

.accdb .dwg .odb .raf
.apk .dxg .odp .raw
.arw .emlx .ods .rtf
.aspx .eps .odt .rw2
.avi .erf .orf .rwl
.bak .gz .p12 .sav
.bay .html .p7b .sql
.bmp .indd .p7c .srf
.cdr .jar .pdb .srw
.cer .java .pdd .swf
.cgi .jpeg .pdf .tar
.class .jpg .pef .tar
.cpp .jsp .pem .txt
.cr2 .kdc .pfx .vcf
.crt .log .php .wb2
.crw .mdb .png .wmv
.dbf .mdf .ppt .wpd
.dcr .mef .pptx .xls
.der .mp4 .psd .xlsx
.dng .mpeg .pst .xml
.doc .msg .ptx .zip
.docx .nrw .r3d .3fr

 

Infected machines are noticed to have zcrypt1.0 mutex. The mutex denotes that an instance of this ransomware is already running in the infected machine.

We have also seen a connection to the following URL. However, the domain is already down when we were testing:

http://<obfuscated>/rsa/rsa.php?computerid={Computer_ID} where the {Computer_ID} is entry found inside a dropped file %AppData%cid.ztxt

For example, c:usersadministratorappdataroamingcid.ztxt

Prevention

To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date.  Upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive
  • Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history
  • Use OneDrive for Business
  • Beware of phishing emails, spams, and clicking malicious attachment
  • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs
  • Disable your Remote Desktop feature whenever possible
  • Use two factor authentication
  • Use a safe internet connection
  • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)

Detection

Recovery

In Office 365’s How to deal with ransomware blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:

  1. Make sure you have backed-up your files.
  2. Recover the files in your device. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

To restore your files or folders in Windows 10 and Windows 8.1:

  • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
  • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
  • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files onto a different location than the original, press and hold, or right-click the Restore button, tap or click Restore To, and then choose a new location.

Source: Restore files or folders using File History

To restore your files in Windows 7 and Windows Vista

  • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
  • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
  • To restore a previous version, select the previous version, and then click Restore.

Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.

Source: Previous versions of files: frequently asked questions

Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).

Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.

  1. Recover your files in your OneDrive for Consumer
  2. Recover your files in your OneDrive for Business

If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:

Restore your files using the Portal

Users can restore previous version of the file through the user interface. To do this you can:

1. Go to OneDrive for Business in the office.com portal

2. Right click the file you want to recover, and select Version History.

3. Click the dropdown list of the version you want to recover and select restore

 

If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

Create a Site Collection Restore service request

If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at the Restore Option in SharePoint Online blog post.

 

*Related macro malware information:

 

Edgardo Diaz and Marianne Mallen

Microsoft Malware Protection Center (MMPC)

Do I need anything besides Windows Defender?

January 16th, 2014 No comments

A reader asks:

If I have Windows Defender, do I need to buy anything else to protect my computer?

If your computer is running the Windows 8 operating system, Windows Defender will help protect you from viruses, spyware, and other malicious software. You don’t need to buy anything else. 

If your computer is running Windows 7, Windows Vista, or Windows XP, Windows Defender removes spyware, but to protect yourself from viruses, you’ll need to download antivirus software. You can purchase it from a third party, or you can download Microsoft Security Essentials for free.

More ways to protect against viruses and other malware

Run newer software. Advanced security technologies in modern operating systems are specifically designed to make it more difficult, more complex, more expensive, and therefore, less appealing to cybercriminals to exploit vulnerabilities.

Regularly install updates for all your software. Update your antivirus and antispyware programs, browsers (like Windows Internet Explorer), operating systems (like Windows), and word processing and other programs. Learn how to turn on automatic updating.

Make sure your firewall is turned on. A firewall will also help protect against viruses and hackers. Find out if your version of Windows has a built-in firewall.

For more information, see How to remove and avoid computer viruses.

EMET: A valuable tool for PC protection

October 18th, 2013 No comments

If you’re a regular reader of this blog, then you’ve probably already taken steps to help protect your PC. You have antivirus software that you trust and you keep it updated automatically. You’ve activated your firewall. You regularly install security updates. You know not to respond to suspicious emails or to click links with promises that seem too good to be true.

Today we’d like to tell you about an advanced tool that complements your existing defenses, making it even more difficult for malicious hackers and cybercriminals to get into your computer. If you feel comfortable performing more advanced computer tasks, consider downloading the free Enhanced Mitigation Experience Toolkit (EMET).

EMET is a free tool available for Windows 8, Windows 7, Windows Vista, and Windows XP. EMET works by taking advantage of security technologies that already exist on your PC, but might not be used by all of your programs. EMET helps protect your computer from new or undiscovered threats until they can be addressed through formal security updates. Katie Couric, a journalist and a talk show host, recently hosted a segment called Protect Your Computers from Hackers and recommended that families install and use EMET.

Download EMET now

Once installed, EMET works quietly in the background without interrupting your computer use. Like any security tool, EMET doesn’t guarantee that you’ll never have any problems, but it does make it much harder for an attacker to succeed.

Already using EMET? Get support or join the EMET forum.

3 ways to speed up your PC

October 15th, 2013 No comments

Here are three ways to speed up a sluggish computer.

1.       Scan your computer for viruses

If your computer is slow or restarts often, it could be infected with a virus or other malicious software.

If you have Windows 8, you can use the built-in Windows Defender to help you get rid of a virus or other malware. If you have Windows 7, Windows Vista, or Windows XP, scan your computer with the Microsoft Safety Scanner. Or get help at the Virus and Security Solution Center.

For more information, see How to avoid and remove computer viruses.

2.       Turn on automatic updating

One of the easiest things you can do to speed up your PC is to make sure that your operating system and software are kept up to date. Learn how to get security updates automatically.

Is your computer sluggish, or is it just your web browser? The newest version of Internet Explorer is Internet Explorer 10. It’s included with Windows 8, and you can download it for free for other versions of Windows. Learn more about security in Internet Explorer 10.

 

3.       Upgrade your operating system

If you’re still using Windows XP, you could speed up your PC by upgrading to Windows 8 or Windows 7.

Support for Windows XP ends on April 8, 2014. You can get solutions to your Windows XP security issues now, but not for too much longer. If you’re still using Windows XP, you’re missing out on all kinds of security, productivity, and performance enhancements available in Windows 7 and Windows 8.

Find out what end of support for Windows XP means to you.

If your computer is still slow, you can try limiting how many programs run at start up, deleting software and files you don’t need, or following these additional tips to speed up your PC.

How to get rid of a computer virus

June 25th, 2013 No comments

Is your computer running more slowly than usual? Does it stop responding or freeze often? It might have a virus.

If you can connect to the Internet

These instructions are different depending on which operating system you’re using.

Check your operating system

Windows 8

If your computer is running Windows 8, you can use the built-in Windows Defender to get rid of the virus or other malware.

Windows 7, Windows Vista, Windows XP

If your computer is running Windows 7, Windows Vista, or Windows XP, do the following:

  • Run the Microsoft Safety Scanner. The scanner can be used with any kind of antivirus software (not just antivirus software from Microsoft).
  • Download Microsoft Security Essentials for free. (Note: Some viruses will prevent you from downloading Microsoft Security Essentials.)

If you can’t connect to the Internet

Windows Defender Offline works with Windows 8, Windows 7, Windows Vista, and Windows XP.

Use another computer to download Windows Defender Offline and create a CD, DVD, or USB flash drive.

Windows Defender (built in to Windows 8), Microsoft Security Essentials, and other antivirus software use the Internet to download the latest updates to fight new malware. Windows Defender Offline helps protect against advanced malware that can’t always be detected by antivirus software.

Learn how to use Windows Defender Offline

Learn more

Security researchers: Get paid to thwart cybercriminals. We want your help fighting potential viruses. Microsoft has announced three new bounty programs that offer cash payments in exchange for reporting certain vulnerabilities in and techniques for exploiting Internet Explorer, Windows, and other Microsoft programs. Visit Microsoft.com/BountyPrograms for details.

There is no Hotmail Maintenance Department

June 13th, 2013 No comments

Cassie writes:

I received an email from the Hotmail Maintenance Department requesting personal information verification. The message included a PDF file. Is this a scam?

Yes. This is one of many types of email cybercrime, also called phishing. Cybercriminals often use the Microsoft name to try to get you to share your personal information so that they can use it for identity theft. Delete the message—do not open it, and do not click any links or open any attachments.

The Hotmail Maintenance Department doesn’t exist—and if it did, the department wouldn’t send unsolicited email messages with attachments that asked for your personal information. Be suspicious of any email messages that appear to come from the Hotmail team; even though your email address still says “Hotmail,” the service is now called Outlook.com.

For more tips on spotting scam email messages, see How to recognize phishing email messages, links, or phone calls.

If you opened the PDF file, your computer might already be infected with malware that can be used to steal your personal information. Scan your computer with the Microsoft Safety Scanner to find out. The scanner will also help you remove any malicious software it finds.

Should I use more than one antivirus program?

January 22nd, 2013 No comments

You don’t need to install more than one antivirus program. In fact, running more than one antivirus program at the same time can cause conflicts and errors that make your antivirus protection less effective or not effective at all.

Windows 7 and Windows Vista include spyware protection called Windows Defender. To help fight both viruses and spyware, you can download Microsoft Security Essentials at no cost. If you download Microsoft Security Essentials, Windows Defender will be disabled automatically. Make sure to uninstall any other antivirus software (whether you installed it or it came preinstalled) on your computer first.

Windows 8 includes antivirus and antispyware protection called Windows Defender. Windows Defender for Windows 8 replaces Microsoft Security Essentials. It runs in the background and notifies you when you need to take specific action. If you install a different antivirus program, Windows Defender will be disabled automatically. 

Note: You might see a warning that Microsoft Security Essentials has been turned off because you have other antivirus software on your computer that automatically turns off Microsoft Security Essentials. This type of warning could also be a fake virus alert that attempts to fool you into downloading malicious software. For examples of such rogue security software, see our Real vs. Rogue Facebook app.

For more information, see How to boost your malware defense and protect your PC.

Should I use more than one antivirus program?

January 22nd, 2013 No comments

You don’t need to install more than one antivirus program. In fact, running more than one antivirus program at the same time can cause conflicts and errors that make your antivirus protection less effective or not effective at all.

Windows 7 and Windows Vista include spyware protection called Windows Defender. To help fight both viruses and spyware, you can download Microsoft Security Essentials at no cost. If you download Microsoft Security Essentials, Windows Defender will be disabled automatically. Make sure to uninstall any other antivirus software (whether you installed it or it came preinstalled) on your computer first.

Windows 8 includes antivirus and antispyware protection called Windows Defender. Windows Defender for Windows 8 replaces Microsoft Security Essentials. It runs in the background and notifies you when you need to take specific action. If you install a different antivirus program, Windows Defender will be disabled automatically. 

Note: You might see a warning that Microsoft Security Essentials has been turned off because you have other antivirus software on your computer that automatically turns off Microsoft Security Essentials. This type of warning could also be a fake virus alert that attempts to fool you into downloading malicious software. For examples of such rogue security software, see our Real vs. Rogue Facebook app.

For more information, see How to boost your malware defense and protect your PC.

Spooky antivirus software

October 30th, 2012 No comments

Judy writes:

My virus protection doesn’t seem to want to stay on. I’ve been able to turn it back on, but when I shut down and then restart my computer later, the virus protection is off again.

Is this some kind of Halloween trick?

Having a virus is no treat

Achieving 100 percent protection from viruses is like chasing a phantom, and Judy’s antivirus software might be turning off because she has a virus.

Learn more about viruses and other malicious software

Having reliable support helps remove the mystery

If your computer is running Windows XP, Windows Vista, or Windows 7, Microsoft Security Essentials is available as a free download. If you’re already using it and it has unexpectedly turned off, you can uninstall it and reinstall it. And if doing that doesn’t fix the problem, you can contact support.

Learn more about Microsoft Security Essentials

Antivirus protection in Windows 8

If you’re running Windows 8, you don’t need to download Microsoft Security Essentials or install any other antivirus software. Windows Defender and Windows SmartScreen are built-in security features that provide real-time scanning to help protect your computer from viruses, spyware, and malware.  

Learn more about security in Windows 8

 

Free tool automatically checks and builds up your computer’s defenses

July 12th, 2012 No comments

Want to know an easy way to make sure you have the most up-to-date security settings and software for your Windows operating system? Microsoft offers a free downloadable tool that scans your computer and makes recommended changes based on your current settings.

Run the Microsoft Malware Prevention troubleshooter.

The following are a few examples of how the Microsoft Malware Prevention troubleshooter helps protect your computer:

  • It turns on your Windows Firewall. Enabling your Windows Firewall will block communications to your PC that may be malicious software.
  • It checks your anti-virus protection status. You will be prompted to update your anti-virus program if needed. If you have no anti-virus program installed, it tells how you can download Microsoft Security Essentials (free) or learn about other security software partners.
  • It turns on automatic updating. Windows Update automatically downloads and installs the latest security and feature updates from Microsoft to help enhance the security and performance of your PC.

Find out what else the Microsoft Malware Prevention troubleshooter can do.

Protect your PC from the Conficker worm

May 10th, 2012 No comments

The most recent Microsoft Security Intelligence Reports (SIR) describes the ongoing threat of the Conficker worm and urges businesses and individuals to apply security updates.

Microsoft first recognized the Conficker threat in November 2008 and since then the Microsoft Malware Protection Center has been regularly releasing security updates to help protect against Conficker. The worm continues to spread when businesses and individuals don’t install these patches and update their systems and the use of weak passwords in the business sector environment. The worm was also able to infect large numbers of computers when system administrators used the Autorun feature in Windows XP and Windows Vista and through the use of weak passwords.

Think you’re computer or network is infected with Conficker? Get clean up tips.

NEWS: Microsoft offers most popular US antivirus program

March 29th, 2012 No comments

Have you recently installed Microsoft Security Essentials? Earlier this month, the development tools and data services company, OPSWAT, announced that Microsoft’s free antivirus software was the most popular antivirus program in North America during the last 12 months.

Microsoft Security Essentials is free to download and helps protect personal and small business computers from viruses, spyware, and other malicious software.

Fake security software: Know the risks

June 23rd, 2011 No comments

If you’re browsing the web and you see a security warning, beware. Cybercriminals use fake security warnings (also known as “rogue security software”) to steal personal information or to charge you for a program that doesn’t work.

You should only download software from a reputable source. Microsoft Security Essentials, for example, is a program that can help protect your computer. Download it for free.

To watch a video about the extent of the problem and what Microsoft is doing about it, see Rogue Security Software: Scamming for Money.

Computer security tales of woe: What’s yours?

May 19th, 2011 No comments

I recently received two email messages from people who had been the victims of cybercrime. These people weren’t just readers of our blog—they work on our team. That means that they spend almost every day thinking about viruses, online fraud, security updates, and other issues of computer security.

And they still weren’t immune to the threat.

I got permission to share these stories in an effort to prove that cybercriminals are so tricky that they can even fool people who should know better.

The first tale comes from an employee who I’ll call “Christine.” Christine writes:

I was on a news site and got infected with a computer virus. I believe I got some pop-up about an Adobe Acrobat test, and I may have hit “OK” rather than closing the pop-up. Instantly, I started getting all of these dire warning threats that my security had been breached, my computer was infected, and I should download the latest update to “Win 7 Internet Security 2011.”

I’ve actually never had a virus before, but I knew that Microsoft would never abbreviate the word “Windows” to “Win,” and then I spotted a few telltale other signs—a couple misspellings in the messages, and the warnings were so alarmist that I knew they couldn’t be from Microsoft. So I wasn’t dumb enough to click on anything, but it did paralyze my computer for a while, flooding my PC with these messages and blocking my access to the Internet.

From another PC, I found information on this virus and recommendations on how to remove it. I tried to remove it manually and had trouble locating where it was in my files. Then I tried downloading a spyware scanner (which I had to put on a USB drive, and then transfer to my infected PC). After getting it on my PC (I had to rename the .exe file because the virus knew it was spyware removal software and wouldn’t let me run it) and finding the infection, I found out that I needed to buy it before it would fix anything!

Then I remembered Microsoft’s scanner and did the same thing, and it worked! It found the virus and removed it—I guess I had the “Win32/FakeRean” virus that we featured in the newsletter a few months back. It was a fast, easy download, and it found and fixed my system for free.

Now I’ve downloaded every security update I can find, and scanned my system about 5 different times.”

This sounds like rogue security software to us. For more information, see Watch out for fake virus alerts. If you think you might have the same problem, download the Microsoft Safety Scanner.

 

The second story comes from an employee who I’ll call “Megan.” Megan writes:

“Right before I left for vacation I got a message that my email account had been “compromised.” At first I thought that this was a scam, but when I checked my credit card statement, I realized that over $600 of merchandise had been charged to my account. That was because I used the same user name and password information for my email account as I did for other online accounts, including my bank account.  

I was using a strong password. It wasn’t a word from the dictionary and it had a mix of numbers and letters. The problem was that I used this same password since I opened the email account more than four years earlier. And like I said, I was using the same user name and password on many of my online accounts, including my bank account. I immediately changed the password on my email account, on my bank account, and on all other financial accounts. And this time I used different passwords.”

Have you had this problem? Learn how to create strong passwords or test your password’s strength.

Do you have a computer security tale of woe? Share it in our comment section below.

Little Red Ramnit: My, what big eyes you have, Grandma!

May 10th, 2011 No comments

This month’s addition to MSRT is Win32/Ramnit. Having been discovered in April 2010, the family is relatively new, however, the authors of Ramnit seem to have a preference for using an older generation of malicious techniques.

Whilst there are still a number of parasitic file infectors in the wild, the total number of malware families employing such a technique is relatively small. Like many of file infectors which preceding it, Win32/Ramnit contains functionality to infect Windows PE files with extensions matching “.EXE”, “.SCR” and “.DLL”. In addition to infecting PE files, Ramnit also has the ability to infect HTML files, appending a small fragment of VBScript (Visual Basic Script) in order to drop and execute a Win32/Ramnit installer.

Finally, whilst I was analyzing a variant of Ramnit in March this year, I was intrigued to encounter functionality which implemented Office file infection.

Image 1 – view of Office infection code

Image 1 – view of Office infection code


This particular variant of Win32/Ramnit would search both fixed and removable drives for files with “.DOC”, “.DOCX” or “.XLS” extensions to infect. It is worth noting, the functionality has since been removed from the latest variants. In each of these three cases, the code which is inserted in the target file has the same underlying functionality. It simply drops and executes an installer for Win32/Ramnit.

It is interesting to see that malware authors continue to experiment with both old and new techniques. Your trusty neighborhood MMPC team, combined with our antimalware technologies, stand vigilant against the threat of malicious software.

 

Scott Molenkamp

Categories: backdoor, MSRT, virus, Win32/Ramnit, worm Tags: