03/12/2010
11:51

A new threat takes your PC in hostage, asking 100$ to release it.

Identified from C.R.A.M. as MBR.SefTad.A, it completely blocks the access to the operating system, showing a message before Windows get loaded.
Over the last few days a new kind of malware is circulating, it uses more complex techniques than those that are actually used by malware to grant the execution at the startup, and this time it also stop the OS from booting correctly.

To reach this result the virus edit Master Boot Records sectors, substituting the standards one with its own routines that, instead of loading the OS, show a message that tells to the user that every data on his disks have been crypted.
The message says that if you want to get your files back you should put your own ID into a website and pay 100$ to get a password to unlock your PC. Naturally the instructions given shouldn't be followed.

" Your PC is blocked.
All the hard drives were encrypted.
Browse www. safe-data. ru to get an access to your system and files.
Any attempt to restore the drives using other way will lead to inevitable data loss.
Please remember: Your ID: 77xxxx
with its help your sign-on password will be generated.

Enter password: _ "

From the analysis of the viral code, we saw that it shifts the original MBR from the first to the fifth sector of the disk, overwriting sectors 2 and 3 and deleting the end of sector marker 55AA, substiting it with one of his own.
On the second sector there are some routines that the virus uses to check wether the password inserted by the user is good or not, while in the 3rd sector there's the message you can see above. The 4th sector is left blank.

If the password is correct, the virus shifts the MBR back to his original position (sector 0) and esase the sectors he occupied before, while if the password is incorrect, and it's been inserted more than 3 times, it restarts the pc.

Because of how the virus works, soft formatting the disk and reinstalling Windows is totally useless, because during these two operations the disk's MBR doesnt get overwritten.
You also shouldn't proceed with a fixmbr from the console, because disk's partition table had been moved from the virus, so if you restore the original MBR you will definetly loose the partition table and you will have to perform additional, and complex, operations to restore it.

Besides what's written in the message, data on the disk isn't crypted, so the files are easy to get back after having restored the MBR and the partition table correctly.


Analysis by eng. Gianfranco Tonello
C.R.A.M. (Anti-Malware Research Center) by TG Soft


Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: