Trojan.MBRlock

Forum for analysis and discussion about malware.

Trojan.MBRlock

Postby Radovan » Wed Dec 01, 2010 1:53 pm

Hello
I've read about a new Ransom ware which re-writes the master boot record. It's dubbed Seftad, Does anyone have a sample of this?

More info: http://techblog.avira.com/2010/12/01/of ... omware/en/
Radovan
 
Posts: 7
Joined: Tue Jul 13, 2010 3:18 pm
Reputation point: 0

Re: MBR Ransom (Seftad)

Postby EP_X0FF » Wed Dec 01, 2010 2:06 pm

Yes. It drops by Oficla loader.

Greets coming to Meriadoc for locating proper Oficla :)

For 773921 unblock key is aaaaaaciip, number is hardcoded.

http://www.virustotal.com/file-scan/rep ... 1291214716
http://www.virustotal.com/file-scan/rep ... 1291214741
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 3879
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 465

Re: MBR Ransom (Seftad)

Postby Jaxryley » Wed Dec 01, 2010 2:39 pm

Thanks for samples Meriadoc/EP_X0FF. 8-)
Jaxryley
 
Posts: 140
Joined: Mon Mar 15, 2010 7:49 am
Reputation point: 30

Re: MBR Ransom (Seftad)

Postby Jaxryley » Wed Dec 01, 2010 10:23 pm

As a test I installed MBRguard in a Win 7 VM then ran this variant with the VM rebooting straight back into desktop.

Winner seems to be MBRguard.

http://www.blueridgenetworks.com/suppor ... bguard.php
Jaxryley
 
Posts: 140
Joined: Mon Mar 15, 2010 7:49 am
Reputation point: 30

Re: MBR Ransom (Seftad)

Postby hot_UNP » Thu Dec 02, 2010 10:53 am

Thank you for sharing samples.
Hard disk is not encrypted and Original MBR backup in (Physical Disk) 0x800h (4th Sector)
hot_UNP
 
Posts: 4
Joined: Thu Mar 18, 2010 12:49 pm
Reputation point: 0

Re: MBR Ransom (Seftad)

Postby wealllbe20 » Thu Dec 02, 2010 3:26 pm

Here latley, My users have been just getting a black screen showing up after they enter their bios passwords..

tried safe mode-> recovery console that was installed on their hard drive, always a black screen.


Have to use some type of mbr restore tool and whalla... everything works fine after we rebuild a new mbr.

I think it has something to do with this malware, or a crap variant of it.

every user has been windows xp sp3.

Keep an eye out.
wealllbe20
 
Posts: 40
Joined: Tue Mar 16, 2010 8:08 pm
Reputation point: 6

Re: MBR Ransom (Seftad)

Postby Boyfriend » Sat Dec 04, 2010 11:02 am

Thanks EP_X0FF for sample :)
Boyfriend
 
Posts: 2
Joined: Tue Oct 26, 2010 5:35 am
Reputation point: 0

Re: MBR Ransom (Seftad)

Postby Tesk » Sat Dec 04, 2010 4:30 pm

My 2 cents - this is only a "test" before we see a malware which really encrypts the whole harddrive and the keys which are being generated are being generated a very complicated way and so on.
Tesk
 
Posts: 19
Joined: Mon Mar 29, 2010 8:18 pm
Reputation point: 13

Re: MBR Ransom (Seftad)

Postby GamingMasteR » Sun Dec 05, 2010 4:19 pm

encrypts the whole harddrive

I don't think a full HDD encryption will be completed during this *long time* encryption process, something will BSOD .
User avatar
GamingMasteR
Global Moderator
 
Posts: 228
Joined: Sun Mar 07, 2010 10:52 am
Reputation point: 78

Re: MBR Ransom (Seftad)

Postby treehouse786 » Sun Dec 12, 2010 11:39 pm

so how do i remove this infection??
treehouse786
 
Posts: 3
Joined: Sun Dec 12, 2010 10:50 pm
Reputation point: 0

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 2 guests