Showing posts with label virus. Show all posts
Showing posts with label virus. Show all posts

2014/10/23

HOW TO REMOVE POLICE RANSOMWARE VIRUS

What is?
This computer fraud, in jargon known as "RANSOMWERE", is a new type of malware that propagates as a virus or worm. 
It locks the computer displaying a notice on the screen, and then, taking advantage of the fear of people and claiming to be a POLICE department (or FBI, or CIA, etc..), it requires the payment of a sort of fine (but it would be better to call it "ransom") to unlock the user's computer.
The malware relies on the user's fear, accusing him of having committed illegal activities, such as downloading material protected by copyright like software or music, or be viewed and downloaded child pornography, and requires the payment of a fine (normally € 100,00) to remedy the alleged wrongdoing. 
Typical screen of Virus "Police"
A typical example of this malware displays a screen that reproduces the header of the Police (logo or emblem) and usually shows the IP address of the user's computer. In some cases even show the user's photo taken with the webcam of his own PC or notebook. 
It also requires the payment of a fine through fake websites (legal) specialized in making payments online without a credit card or debit card, such as www.ukash.com or www.paysafecard.com (in whose pages a message indicates the existence of this type of scam). 
This malware, due to the payment system used, it is also known as "Ukash virus" (but the Ukash site has nothing to do with the creator of the virus). 
Another name of this malware is "Reveton" that is based on Trojan Citadel (which, itself, is based on the Zeus trojan).
When the malware is active you cannot exit the screen, even with the keyboard shortcut CTRL + ALT + DELETE, and you are unable to freely use your PC. 

As you take? 
As with many other virus infection the possibility are: 
  • Pure and simple navigation of  compromised websites, 
  • Receiving emails with infected attachments or links to infected sites, 
  • Exchange of infected USB sticks, 
  • Installing cracked software, 
  • Etc. 
Who does it affect? 
Windows systems are the first to be affected, but now even the Apple MAC OS X are targeted by Ransomware, fortunately in this case the solution is simple, just do a reset of the SAFARI browser. 

Even Smartphone and Android tablets are attacked by ransomwere
An Android Cryptolocker version was discovered in 2012, but it  did not crypt the files like the Windows Version!
ESET has discovered a dangerous new type of malware (Android / Simplocker.A) that is able to encrypt the data / files in your SD card expansion of Android devices and then asks for a "ransom" for decryption. 
[Source] ESET Blog 
Android-Trojan.Koler.A

Android-Trojan.Koler.A is a type of Ramsomware that attacks Smartphone and Tablet Android. Use GPS to understand where is the victim and simulate local authorities more plausible. Android-Trojan.Koler.A is not dangerous, because it do not completely block the device, but only in the foreground holding a browser window with a threatening message. Bogdan Botezatu of Bitdefender says that you can manually uninstall the malware with the standard procedure, stating - "but only if the application icon is in the first row. Otherwise, you would not have the time necessary to drag the icon to uninstall." 
[Source] ARSTECNICA 

The Blog Malware do not need Coffee illustrates in detail the technique of propagation and the operation of this type of Ramsomware. 
[Source] Malware do not need Coffee: Police Locker land on Android Devices 

A new variant of ransomware locks the system and encrypt the data. This type of malware, however, shows clearly that it is a virus that has encrypted many files on your computer or on your smartphone / tablet  and requires a  ransom to decipher them. 

The malware best known in this category is "Cryptolocker", which is mainly spread via email attachment and that encrypts certain types of electronic documents on the hard drive and network shares. The malware connects to a remote server and uses a 2048-bit RSA public key to encrypt documents. Even removing the virus you cannot decrypt the file without having the key, which unfortunately is not stored in the computer.
CryptolockerCompanies FireEye and FOX IT, specializing in computer security, have created together a web portal www.decryptcryptolocker.com to help users of infected systems by Cryptolocker. Through this website you can send an email with an encrypted file from Cryptolocker, and you will receive in response to the private "master key" and personal for use with the software Decryptolocker to decipher all other files and encrypted documents.

How to prevent "ransomware" infection? 
The best way is to keep updating the software on your PC: Use Windows Update to the operating system, carry out security updates of the browser, email client and the main software used as Adobre Reader, OpenOffice, Microsoft Office, etc.. 
Also it is good to install a good antivirus (even free) and keep constantly updated virus signatures. 

The variants that encrypt the data: 
Who has the PC infected with variant Tojan-Ransom-digit .Win32.Rannoh which crypt some files so that they cannot be legitimately opened and edited, it can groped to recover them using special software developed by Kaspersky. It is RannohDecryptor.exe and is a tool that attempts to decrypt the files affected by this variant of ransomware. 

A new ransomware Trojan.ArchiveLock.20 (Dr.Web) affects primarily corporate networks by infecting the system and remaining invisible. Once activated remotely, malware and figure with WinRAR compresses several files through passwords and then shows a screen (which blocks the interface) with instructions to recover your data in exchange for money. In addition, the ransomware can delete any backup in the system. 
Trojan.ArchiveLock.20 (Dr.Web) 

But how to remove the "Police-themed" virus ? 
Depends on the model, some are easy to eliminate other more resistant. Later in this article I have included some information on how to eradicate the most stubborn variants. 
Specific Antivirus and Ransomware removal tools : 
The anti-malware software HitmanPro.Kickstart has a specific form against the Police Ransomware. And 'possible to create a bootable USB stick with HitmanPro.Kickstart and use it to disinfect your PC. 
Even the software house PANDA security (anti-virus manufacturer) has developed a specific tool for the "Police Virus" is called PANDA RescueDISK. It 'a file with the extension. ISO (that is the image of a CD) and must be burned to a CD and booted at boot windows. 
This type of ransomware is also known as Trojan.Win32.Urausy and can be identified and eliminated, for example through Microsoft Security Essential
The Antivirus software company BitDefender, has created a special free Removal Tool (See: "How to remove ransomware infection FBI"). 
TrendMicro has released a free removal tool designed to detect and remove malicious software like ransomware: TrendMicro AntiRansomware Tool 3.0 

On 02.15.2013 Europol has vanquished the band of cyber criminals who had designed (at least) a type of malware RAMSOMWARE (with several variations). Source: Europol. Unfortunately, there are new sophisticated variations. 


PERSONAL EXPERIENCE:
Unfortunately, in the case that I have personally verified the malware has NOT been detected neither by 2 active anti-virus nor virus scanner and subsequently downloaded even by a couple of scans conducted via the Internet. This is symptomatic of the lack of preparedness of many antivirus towards this new type of scam. However, the malware variant that I faced, was not very insidious and it was very simple to remove it manually, here are the instructions: 

[Method 1 - By working Safe Mode] 
Start Windows in "safe mode" (press F8 when the PC) and click with the mouse on START (or START or the Windows icon) at the bottom left of the task bar. 
When you open the drop down menu vertical click "All Programs.
Look for the folder "Startup" and, once detected, click with the mouse on the corresponding icon that will display the list of programs configured to start automatically whenever the computer. 
Select the files that have names "strange" as sequences of characters and numbers 
(in the specific case was fir0.exe or WBT0.D
, And remove them by pressing the "DELETE" or "DEL". 
Select with the mouse the "Recycle Bin" on the desktop and click with the right button when the dialog at the bin, select "empty trash" to permanently remove the malware from your PC. 
Reboot the PC. 

[Method 2 - With safe mode running] 
An alternative method to easily remove the executable file from the automatic can be to use CCLEANER (if already installed) and select the "Tools" menu, then "Start" and then deleting the row that contains the executable in order to exclude the next boot. 
In the event that not enough simply removing the file you can switch to a more radical action using the "Restore System Configuration" in Windows XP, Vista and Seven. In this case, just go back a few days when you think your PC is not infected yet. 

N.B. Of course, to eliminate "physically" the virus must also delete the file responsible for the malfunction (making sure to write down the full path) and not only limited to the sole exception of the file from autorun malware is otherwise idle but still this disc fixed! 
I have also read most tenacious of variants that are activated already in "safe mode", however they have not yet addressed these variants can only suggest the methods they would adopt (already used for other viruses) and shown in this study: 

[Method 3 - With safe mode running] 
Download CCleaner and Malwarebytes and copy them to a USB stick to be inserted in the PC started. 

Start your PC with 'PROVISIONAL MODE WITH COMMAND PROMPT "by holding down the F8 key in the ignition phase. 
Once at the Command Prompt, press CTRL + ALT + DEL to start Task Manager
Insert the USB stick with the software already loaded. 
Go to File - New Activity Run .... Locate the USB memory and install both programs 
Install CCleaner and run it to perform a thorough cleaning of the system files. Then proceed to scan your registry and repair of items found. In Tools - Start off ALL entries. 
Install and Launch Malwarebytes (also from New Activity Run ... and looking in the Program Files path) and perform a full scan. At the end restart your PC. 
Once you have removed the threat the desktop returns to normal and you can make a "clean-up" more in-depth. 
Disable the System Restore (XP) / Protection System (Vista, 7, 8) and delete all restore points created previously - Step essential to prevent the virus manages to recur in what is present in some file recovery 
Locate the folder for temporary files: 
XP - C: \ Documents and Settings \ <username> \ Local Settings \ Temp 
Vista, 7, 8 - C: \ Users \ <username> \ AppData \ Local \ Temp 
... and delete ALL files present 
Empty the trash immediately 
Run CCleaner again (Cleaning Files and Registry) 
Run Malwarebytes again - Full Scan 
Restart 
Run CCleaner again, click "Tools - Start" and reactivate the items you want, then reboot. 
Now the PC is  clean! 

As already indicated, there are many variants of this malware. For example, I recently met with the variant of the virus that displays a screen with the logo of the "Police State", like this: 

In this specific case the file was auto-start "ctfmon.lnk" (files with the extension. Lnk are shortcuts or links to other files and facilitate the opening or running). It pointed to the executable file "C: \ windows \ system32 \ rundll32.exe" which sent him running the malware. In this case it was probably a variant of "Trojan.Win32.FakeGdf" and side effects were (task bar unusable and some system services turned off). Even after the automatic removal since there have been problems in the repair of certain services (in particular Windows Update). The use of Malwarebytes Anti-Malware has allowed us to discover and automatically remove the additional services "malware" that were installed always start automatically. Another anti-virus software to use with variants "resistant" is definitely Combofix. Typically, the name of the file in "autostart" is a random numeric name (for example, in another case it was 0.751225951242083.exe.lnk name at least suspect!). 

PS: if you can not solve by following these directions leave me a comment indicating more problems. 

© ALL RIGHTS RESERVED

2011/10/12

E-Virus (Part III): I have a PC infected! Now as I clean it?

After confirming the presence of one or more e-virus on your PC,



... you should read up as much as possible about the characteristics of those viruses that are present (mode of distribution, payload, removal instructions). If you know your enemy it's easier to defeat him! 


In fact, if you know the name of the virus and how it is dangerous, it is possible to find a specific removal tool freely available from software companies like: Symantec, Kaspersky, McAfee, TrendMicro, etc.. 
For example, there are removal tools for the most common viruses such as: Melissa , Bagle , MyDoom, Sasser , Conficker, Zeus, etc.. 

Otherwise, you can use tools to remove general (broad spectrum) such as:
Obviously you can increase the benefits of these products by performing sequentially scanning of the PC by the use of different tools. 

Sometimes however, you might need to do multiple scans with different products but you can not install too many anti-virus simultaneously on the same PC due to speed and compatibility issues. Besides, the sequential installation and removal of different antivirus is a costly and long process, but you can avoid this using free online tools for virus scan and removal offered by some software companies (the only constraint is need to be online to scan).
Here there are some examples of online malware removal tools:
Of course, all these operations are feasible if the virus has not completely compromised  the access to your PC.

If you can't start the operating system then you can use antivirus software from a CD or bootable USB key (Rescue CD). These systems are typically available as .ISO images and you must create a CD / DVD or install it on bootable USB sticks, so you can operate apart from the operating system (Windows / Linux) that is installed on the infected PC . You have only to carefully verify that the BIOS first boot device is selected to the CD or USB external drive.
Some available tools are:
9) COMODO Rescue Disk CD
Once you start the CD you can scan the hard drive and require the deletion / correction of the infected files.

PERSONAL EXPERIENCE:
I have often used some of these tools along with excellent results. In particular ComboFix has been decisive with the most "insidious" viruses
Regarding the now infamous "worm" Conficker - Downadup, I can indicate the presence of specific free removal tools from almost all antivirus manufacturers. Among these however Bitdefender provides also a free removal tool that works on the whole LAN and not only on the individual PC ( Network Downadup Removal Tool ). 
Sometimes even after the virus removal, the operating system is "unstable" because it is partly damaged by the virus itself. In these cases a viable technique, apart from the total re-installation of the O.S., is to go back the System Restore a few days before the virus infection (feature available from Windows XP ).


2011/08/05

E-Virus (Part II): Maybe your PC is infected by an e-virus... how to verify its presence?

Depending upon the operation level of the PC you can work in various ways:

A) You can start the PC and enter your username and password.
In this case you can use some tools:

1) Using the free tool GMER you can both see if a rootkit is present, and disable or remove the indicted service / process (E-virus) from the memory and from the next boot starting process. To recognize the services / processes infected by E-viruses might be useful to look for files with very odd names (eg: rytrewxz.dll). GMER usually marks them in red and / or specifies the (*** hidden ***) attribute which means "file hidden to the user." In case that the message: "WARNING! GMER has found system modification, Which Might Have Been Caused by ROOTKIT activity. Do you want to fully scan your system? " appears, it is evident that GMER has identified a rootkit in the system and ask to start the full scan of your PC.


2) If you simultaneously press the keys CTRL + ALT + DEL and access to the Windows Task Manager you can see all the processes active in the PC memory and identify those that have random names such as those cited in case (1), possibly you can kill ("terminate") them, by temporarily removing them  from the memory.

3) Using the free tool McAfee Stinger you can identify and remove the most common e-VIRUSES. This is an automatic procedure since the tool detects both infections in place (memory files), and infected tracks and files in the analyzed hard drive. The tool shows which kind of many "problems" it could identify and provides eith their eradication.

4) Using the free tool Prevx you can identify both a rootkit either that kind of insidious virus that is installed in the MBR (Master Boot Record) of the hard disk. The free version detects and lists all the E-viruses present in the system but it does not eliminate them. However, it may be useful to detect the name of E-virus that infected your PC or the kind of epidemic in progress.

5) The free service OpenDNS for malware detection is totally automatic. When it detects a suspicious activity, the message  "Malware / Botnet Activity Detected" appears on the control panel of OpenDNS

6) Using the free software "Bitdefender 60-Second Virus Scanner" that precisely in 60 seconds performs a scan of your PC to check for viruses in memory or in "sensitive" areas of the Operating System. It uses cloud technology so you need an internet connection. 


B) If it is NOT possible to boot the system. 
In this case we can use some of the tools described in the following study; 
E-Virus (Part III): I have a PC infected! Now as I clean it?


Insights: 
E-Virus (part I) How to recognize the symptoms of a E-FLU or if your PC has got an E-VIRUS?

2011/01/13

E-Virus (part I) How to recognize the symptoms of a E-FLU or if your PC has got an E-VIRUS?

E-FLU (Electronic Fluence) and / or E-VIRUS (Electronic Virus) gather all the endless series of softwares that infect the PC by self-replicating and / or consuming its resources (i.e.: malwares, trojan horses, backdoors, spywares, rootkits, dialers, worms, viruses, etc.). 

HOW TO RECOGNIZE THE SYMPTOMS? 
1) The PC is unexpectedly slow: suddenly the speed of execution of any application, even the most banal, it slows down quite sharply. In parallel we see that the hard drive is still active (the LED is constantly lit). The feedback of the mouse or of the keyboard could be slowed. 
2) Problems with the browser: the browser's home page (Internet Explorer, Firefox, Chrome, Opera, etc..) has changed and is pointing to illegal Web sites, or, by opening the browser many pop-up windows appear and replicate indefinitely. 
3) Internet is too slow: suddenly, surfing the Internet has slowed down. 
4) The PC is inoperable: The computer starts but stops immediately with messages like "missing operating system" or "could not find command.com". The PC frequently restarts randomly and unexpectedly. 
5) Modified files: Some files, especially those with the extension. ".exe", ".com", ".dll" have been changed and are larger than usual. The hard drive space has been significantly reduced and / or many new files with unlikely names (such as: yutuewyt.dll, 823746.dll, wuyetur.dll) have appeared. 
6) The antivirus is down: The antivirus will not start functioning as usual and you can not re-install it or install a different one. In some cases you can not even reach the website of the leading antivirus vendors. 
7) New Softwares: new softwares that you have never installed, appear on your desktop or on the tray bar. 

These symptoms, taken individually, do not give you the certainty of the presence of an e-virus in your PC, but they can instill you doubts. Of course, if the symptoms are more than one, the probability of being in presence of an e-virus increases.


More inside: E-Virus (Part II): Maybe your PC is infected by an e-virus... how to verify its presence?


Versione Italiana di questo articolo:
 "E-virus (parte I): Come riconoscere i sintomi di un E-INFLUENZA ovvero quando il nostro PC si รจ preso un E-VIRUS?"