Forum for analysis and discussion about malware.
Posts: 7
Joined: Tue Jul 13, 2010 3:18 pm

Wed Dec 01, 2010 1:53 pm

I've read about a new Ransom ware which re-writes the master boot record. It's dubbed Seftad, Does anyone have a sample of this?

More info: ... omware/en/
User avatar
Global Moderator
Posts: 4903
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation

Wed Dec 01, 2010 2:06 pm

Yes. It drops by Oficla loader.

Greets coming to Meriadoc for locating proper Oficla :)

For 773921 unblock key is aaaaaaciip, number is hardcoded. ... 1291214716 ... 1291214741
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
Posts: 140
Joined: Mon Mar 15, 2010 7:49 am

Wed Dec 01, 2010 2:39 pm

Thanks for samples Meriadoc/EP_X0FF. 8-)
Posts: 140
Joined: Mon Mar 15, 2010 7:49 am

Wed Dec 01, 2010 10:23 pm

As a test I installed MBRguard in a Win 7 VM then ran this variant with the VM rebooting straight back into desktop.

Winner seems to be MBRguard. ... bguard.php
Posts: 4
Joined: Thu Mar 18, 2010 12:49 pm

Thu Dec 02, 2010 10:53 am

Thank you for sharing samples.
Hard disk is not encrypted and Original MBR backup in (Physical Disk) 0x800h (4th Sector)
Posts: 40
Joined: Tue Mar 16, 2010 8:08 pm

Thu Dec 02, 2010 3:26 pm

Here latley, My users have been just getting a black screen showing up after they enter their bios passwords..

tried safe mode-> recovery console that was installed on their hard drive, always a black screen.

Have to use some type of mbr restore tool and whalla... everything works fine after we rebuild a new mbr.

I think it has something to do with this malware, or a crap variant of it.

every user has been windows xp sp3.

Keep an eye out.
Posts: 2
Joined: Tue Oct 26, 2010 5:35 am

Sat Dec 04, 2010 11:02 am

Thanks EP_X0FF for sample :)
Posts: 19
Joined: Mon Mar 29, 2010 8:18 pm

Sat Dec 04, 2010 4:30 pm

My 2 cents - this is only a "test" before we see a malware which really encrypts the whole harddrive and the keys which are being generated are being generated a very complicated way and so on.
User avatar
Global Moderator
Posts: 228
Joined: Sun Mar 07, 2010 10:52 am

Sun Dec 05, 2010 4:19 pm

encrypts the whole harddrive
I don't think a full HDD encryption will be completed during this *long time* encryption process, something will BSOD .
Posts: 3
Joined: Sun Dec 12, 2010 10:50 pm

Sun Dec 12, 2010 11:39 pm

so how do i remove this infection??
Post Reply