{"id":9432,"date":"2013-01-12T22:07:59","date_gmt":"2013-01-13T06:07:59","guid":{"rendered":"http:\/\/37prime.wordpress.com\/?p=9432"},"modified":"2013-01-12T22:07:59","modified_gmt":"2013-01-13T06:07:59","slug":"ransomware-part-2-the-java-connection","status":"publish","type":"post","link":"https:\/\/37prime.com\/news\/2013\/01\/12\/ransomware-part-2-the-java-connection\/","title":{"rendered":"Ransomware, Part 2 &#8211; The Java Connection"},"content":{"rendered":"<p>So, I have successfully removed the ransomware\/malware form the infected computer.<\/p>\n<p>Booting the computer up to Safe Mode or Safe Mode with Networking would still activate the malware. That&#8217;s because it replaces the registry entry for Windows Shell from &#8220;Explorer.exe&#8221; to something else. So, boot the computer to &#8220;Safe Mode with Command Prompt&#8221; and type &#8220;regedit.exe&#8221; at the command prompt.<\/p>\n<p>In registry editor, go to:<\/p>\n<blockquote><p>HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon<\/p><\/blockquote>\n<p>In this particular case it was replaced with:<\/p>\n<blockquote><p>C:PROGRA~3dsgsdgdsgdsgw.bat<\/p><\/blockquote>\n<p><a href=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware-Infected-Windows-Shell.jpg\"><img loading=\"lazy\" decoding=\"async\" alt=\"Ransomware Infected Windows Shell\" src=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware-Infected-Windows-Shell.jpg\" width=\"480\" height=\"270\" \/><\/a><\/p>\n<p>Delete the entry and replace it with:<\/p>\n<blockquote><p>Explorer.exe<\/p><\/blockquote>\n<p>Reboot the computer into &#8220;Safe Mode with Networking&#8221; and launch a web browser. Download, install and run the following programs if you haven&#8217;t already:<\/p>\n<ul>\n<li><a href=\"http:\/\/www.bleepingcomputer.com\/combofix\/how-to-use-combofix\" target=\"_blank\">Combofix<\/a><\/li>\n<li><a href=\"http:\/\/safety.live.com\/\" target=\"_blank\">Microsoft\u2019s Safety Scanner<\/a><\/li>\n<li><a href=\"http:\/\/www.microsoft.com\/security\/pc-security\/malware-removal.aspx\" target=\"_blank\">Microsoft\u2019s Malicious Software Removal Tool<\/a><\/li>\n<li><a href=\"http:\/\/www.malwarebytes.org\/\" target=\"_blank\">Malwarebytes AntiMalware<\/a><\/li>\n<li><a href=\"http:\/\/www.safer-networking.org\/en\/spybotsd\/index.html\" target=\"_blank\">Spybot \u2013 Search &amp; Destroy<\/a><\/li>\n<\/ul>\n<p>There are also other programs to scan and remove the malware.<\/p>\n<p>Combofix detects that userinit.exe s also infected.<\/p>\n<p><a href=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware-Combofix-userinit.jpg\"><img loading=\"lazy\" decoding=\"async\" alt=\"Ransomware Combofix userinit\" src=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware-Combofix-userinit.jpg\" width=\"480\" height=\"270\" \/><\/a><\/p>\n<p>Microsoft Security Essentials also detected presence of <a href=\"http:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/entry.aspx?name=Trojan%3aJS%2fReveton.A&amp;amp;threatid=2147678622\" target=\"_blank\">Trojan:JS\/Reveton.A<\/a>, which was detected on January 11, 2013.<\/p>\n<p><a href=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware-through-Java.jpg\"><img loading=\"lazy\" decoding=\"async\" alt=\"Ransomware through Java\" src=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware-through-Java.jpg\" width=\"480\" height=\"270\" \/><\/a><\/p>\n<p>This computer was infected on Friday January 11, 2013, shortly after news about <a href=\"http:\/\/www.cnn.com\/2013\/01\/11\/tech\/web\/java-vulnerability\/\" target=\"_blank\">Java vulnerability<\/a> was reported. After further investigations, I found that the infection happened through Java vulnerability. The infected computer had both Java 6 and 7 installed. <a href=\"http:\/\/www.malwarebytes.org\/products\/malwarebytes_free\/\" target=\"_blank\">Malwarebytes AntiMalware Free<\/a> detected and removed the malicious Java module. Similar vulnerability was found back in <a href=\"http:\/\/www.slate.com\/blogs\/future_tense\/2012\/08\/29\/java_zero_day_vulnerability_why_you_should_disable_java_on_your_browser_right_now_.html\" target=\"_blank\">August 2012<\/a>.<\/p>\n<p>Let&#8217;s take a look at the ransomware\/malware.<\/p>\n<p>It takes over Windows User Interface (UI) and replaces windows shell with the threatening message purporting from United States Department of Justice: &#8220;YOUR COMPUTER HAS BEEN LOCKED&#8221;<\/p>\n<p><a href=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware.jpg\"><img loading=\"lazy\" decoding=\"async\" alt=\"Ransomware\" src=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware.jpg\" width=\"480\" height=\"270\" \/><\/a><\/p>\n<p>The message says that the computer has been locked for one or more violations:<\/p>\n<ul>\n<li>Article &#8211; 184. Pornography involving children (under 18 years)<\/li>\n<li>Article &#8211; 171. Copyright<\/li>\n<li>Article &#8211; 113. The use of unlicensed software<\/li>\n<\/ul>\n<p>They are pretty much the same language used in other ransomware\/malware purporting from FBI, Police Cybercrime Investigation Department, etc. Some people might fall for this.<\/p>\n<p><a href=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware-3-violations.jpg\"><img loading=\"lazy\" decoding=\"async\" alt=\"Ransomware 3 violations\" src=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware-3-violations.jpg\" width=\"480\" height=\"270\" \/><\/a><\/p>\n<p>The malware also tries to activate the computer camera, for the purpose of scaring the user. Even though the infected computer doesn&#8217;t have any cameras installed, the malware pretends that it is recording video of the user.<\/p>\n<p><a href=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware-video-recording.jpg\"><img loading=\"lazy\" decoding=\"async\" alt=\"Ransomware video recording\" src=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware-video-recording.jpg\" width=\"480\" height=\"270\" \/><\/a><\/p>\n<p>The malware demands $300 to be paid in\u00a0<a href=\"https:\/\/www.moneypak.com\" target=\"_blank\">MoneyPak<\/a> so users can unlock the computer.<\/p>\n<p><a href=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware-MoneyPak.jpg\"><img loading=\"lazy\" decoding=\"async\" alt=\"Ransomware MoneyPak\" src=\"http:\/\/37prime.com\/news\/wp-content\/uploads\/2013\/01\/Ransomware-MoneyPak.jpg\" width=\"480\" height=\"270\" \/><\/a><\/p>\n<p>So convenient that the malware tells you where to get this MoneyPak.<\/p>\n<p>Anyway, you need to disable Java from your browsers.<\/p>\n<p>If you&#8217;re using Mozilla Firefox, follow the instruction here: <a href=\"http:\/\/support.mozilla.org\/en-US\/kb\/How%20to%20turn%20off%20Java%20applets\" target=\"_blank\">How to turn off Java applets<\/a><\/p>\n<p>If you&#8217;re using Google Chrome, go to:<\/p>\n<blockquote><p>Settings &gt; Privacy &gt; Content Settings &gt; Plug-ins &gt; select &#8220;Click to play&#8221;<\/p><\/blockquote>\n<p>Also go to <a target=\"_blank\">chrome:\/\/plugins\/<\/a> to manually disable Java if necessary. (type in chrome:\/\/plugins\/ in the address bar \/ omnibox)<\/p>\n<p>If you are using Safari, go to:<\/p>\n<blockquote><p>Preferences &gt; Security &gt; uncheck &#8220;Enable Java&#8221;<\/p><\/blockquote>\n<p>If you are using Internet Explorer, follow the <a href=\"http:\/\/nakedsecurity.sophos.com\/how-to-disable-java-internet-explorer\/\" target=\"_blank\">instruction from Sophos<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So, I have successfully removed the ransomware\/malware form the infected computer. Booting the computer up to Safe Mode or Safe Mode with Networking would still activate the malware. That&#8217;s because it replaces the registry entry for Windows Shell from &#8220;Explorer.exe&#8221; to something else. So, boot the computer to &#8220;Safe Mode with Command Prompt&#8221; and type &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/37prime.com\/news\/2013\/01\/12\/ransomware-part-2-the-java-connection\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Ransomware, Part 2 &#8211; The Java Connection&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[946,4],"tags":[1703,1871,1966,2229,2472,2511,2648,936,3039,3216],"class_list":["post-9432","post","type-post","status-publish","format-standard","hentry","category-announcements","category-news","tag-java","tag-linux","tag-malware","tag-os-x","tag-ransomware","tag-resources","tag-security","tag-tech","tag-troubleshooting","tag-windows"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pcNtU-2s8","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/posts\/9432","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/comments?post=9432"}],"version-history":[{"count":0,"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/posts\/9432\/revisions"}],"wp:attachment":[{"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/media?parent=9432"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/categories?post=9432"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/37prime.com\/news\/wp-json\/wp\/v2\/tags?post=9432"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}