Image = “c:\documents and settings\support\application data\jqfsfb.exe” On execution the malware copies itself to %PROFILE%\Application Data\Jqfsfb.exeĮntry_location = “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” The security firm also notes that the malware makes sure it is always running:
Sophos meanwhile details that the Trojan horse opens a backdoor, allowing a remote hacker to take control of the infected PC to communicate with a remote server via HTTP. We’re not just talking about a few clicks: in the space of 10 minutes, GFI recorded 2,259 transmissions. Behind the scenes, the malware is also making click fraud attempts. The IP address and geographical location is displayed in the bottom right hand corner, along with various threats related to the downloading of MP3s, illegal pornography, gambling and more besides. The above is a typical Ransomware scare message that locks the user out of their data, encrypts the files and demands payment (via Moneypak) to the tune of $200. Minutes later, you will be prompted with this warning: Running the executable inside (skype_02102012_image.exe or skype_06102012_image.zip or skype_08102012_image.zip) will infect the PC and will leverage a Java exploit via BlackHole 2.0. If you click the link, you will end up with a zip file on your PC. In fact, Trend Micro says the malware is so far spreading in English and German, but it could of course be translated into various other languages as well. The link has already been changed a few times, and the message can also likely be altered. The malware in question uses the message “lol is this your new profile pic?” followed by a link to spread via the messaging platform. GFI detects the malware as, Sophos detects it as Troj/Agent-YCW or Troj/Agent-YDC, and Trend Micro just calls it a variant of the Dorkbot worm (also known as NRGbot). GFI first reported this issue on Friday, but then released an update today when it became clear ransomware and click fraud were being used.
0 kommentar(er)
