[Radovan]

Hello
I've read about a new Ransom ware which re-writes the master boot record. It's dubbed Seftad, Does anyone have a sample of this?

More info: http://techblog.avira.com/2010/12/01/of ... omware/en/

[EP_X0FF]

Yes. It drops by Oficla loader.

Greets coming to Meriadoc for locating proper Oficla :)

For 773921 unblock key is aaaaaaciip, number is hardcoded.

http://www.virustotal.com/file-scan/rep ... 1291214716
http://www.virustotal.com/file-scan/rep ... 1291214741

[Jaxryley]

Thanks for samples Meriadoc/EP_X0FF.

[Jaxryley]

As a test I installed MBRguard in a Win 7 VM then ran this variant with the VM rebooting straight back into desktop.

Winner seems to be MBRguard.

http://www.blueridgenetworks.com/suppor ... bguard.php

[hot_UNP]

Thank you for sharing samples.
Hard disk is not encrypted and Original MBR backup in (Physical Disk) 0x800h (4th Sector)

[wealllbe20]

Here latley, My users have been just getting a black screen showing up after they enter their bios passwords..

tried safe mode-> recovery console that was installed on their hard drive, always a black screen.


Have to use some type of mbr restore tool and whalla... everything works fine after we rebuild a new mbr.

I think it has something to do with this malware, or a crap variant of it.

every user has been windows xp sp3.

Keep an eye out.

[Boyfriend]

Thanks EP_X0FF for sample :)

[Tesk]

My 2 cents - this is only a "test" before we see a malware which really encrypts the whole harddrive and the keys which are being generated are being generated a very complicated way and so on.

[GamingMasteR]

encrypts the whole harddrive

I don't think a full HDD encryption will be completed during this *long time* encryption process, something will BSOD .

[treehouse786]

so how do i remove this infection??