There has been a new wave of spam on VBB forums targeting registered users. Miscreants fake forum administrators sending PMs to individual users, warning about Dashfer virus – a fake gateway virus.

In fact, such links lead users to websites with fake AVs. The interfaces of these websites look like that of Windows Explorer of Windows XP, which makes users think that their computers have actually been infected with virus and will themselves download the fake AVs.

 

Normally, fake AVs associate with BlackHat SEO. However, this time we see the combination between fake AVs and spam on forum. This shows that bad guys will never stop looking for new tricks to infect virus to users’ computers.

You need to be really cautious with the information received from the Internet. And at the same time, update your antivirus software with the latest version. If there are any troubles with your computers, contact the professional supporters from your AV vendors for help.

Analyst: Manh Hoai

It passed the time when viruses were written out of the passion for IT, or for kidding purposes, most viruses are now written for obvious financial gains. You might have heard of this, or even experienced malwares that steal passwords for online games, banking account details, or fake antivirus software for phishing aim, etc. Lots of methods, scenarios have been used for hackers’ ultimate goal to collect illegal dollars. Once your computer is connected to the Internet, you will see the abundance of these ways to earn money.

To deal with the phenomenon, security companies, antivirus software producers are making timely analysis and widely releasing warnings to users via their Internet security bulletins. Any phishing methods, hence, will gradually become less effective, bad guys are forced to switch to new ones. Recently, our system detected a new technique being used by hackers, and we call it “racketeering encryption”.

Applying “racketeering decryption”, hackers write a virus that encrypts users’ data after its infection. Specifically, the virus (recognized as W32.RansomWare.Trojan by Bkav) focuses on the following file extensions: psd, msi, rar, zip, txt, doc, mp3, tif, jpg, jpeg, wma, lnk, docx, gif, bmp, xls, ppt, xlsx, pptx, docm, xlsm, pps, ppsx, ppd, tif, tiff, eps, png, ace, djvu, pdf, xml, rtf, cdr, max.

Picture 1: The file’s content before and after being encrypted.

 

Picture 2: Encryption algorithm

Then, the virus sends the computer user a message in Russian through Windows Notepad program. The message’s content can be translated into English as follow:

“All your files have been locked!

To unlock your computer, you need to pay 400 rubles into our account 41001473616253 from any ATM.

After the payment, send a scan of your bill to the email address: razb[removed]kompa@gmail.com

After we receive your money, instruction for unlocking your computer will be sent to your email address within 24 hours.

Instruction for the replenishment of our account can be found here:

Http://money.yandex.ru/i/shop/qiwi-instruction.jpg

Also you can pay in any other way. After the payment, write an email to inform us how and when you paid.”

Is the price 400 rubles (about 14 USD) for your whole precious data too cheap? Would you give out this sum of money? If I were in this situation, my answer would always be “No”.  It’s simply because there’s a much better choice. It is to get help from antivirus experts. To remove this virus from your computer, just download Bkav from the address http://www.bkis.com/home/DownloadE.aspx and install the software onto your computer. Then, you can use BkavDecryptTool to decrypt your data encrypted by the virus.

Hope you soon solve your virus problem to get back to your favorite job!

 

Nguyen Cong Cuong

Founded on December 28, 2001 with only 2 members, after 8 years Bkis has grown into a solid union with as many as 500 members. Most of them are young and dedicated specialists and technicians. Bkis celebrated its 8^th birthday with a Music show at Youth Theatre and a Game day at West Lake WaterPark.

 Below are some activities in the birthday celebration in two days, December 26 and 27.

 

The Music show on the night of December 26 was opened with a dancing performance of “Little Angels” from Nightingale Club.

  

My Lan as a graceful MC

When virus specialists and security researchers become artists …

Bkis members have prepared their own performance for a meaningful Music show on Bkis birthday celebration. Singing and dancing on the stage, Bkisers performed like professional singers and actors.

 

 

All the performances shown to be carefully practised and organized

Bkis General Director Nguyen Tu Quang – the male voice choir of Board of Leadership in the performance “Motherland Honoring” by Ho Bac

 

“Bkis-made” music performance, full of inspiration, drew audience’s attention from the beginning to the end of the music show.

 

Awarding the team with best performance

 

Amateur performers’ cheerfulness after 2 month hard practice

Bkis “athletics” in the Game day

Leaving the familiar computers and daily workload, on December 27 morning, Bkis staff headed for West Lake Waterpark to enjoy a relaxing day together.

West Lake Waterpark was splendidly decorated to welcome Bkis members to exciting games

 

 

 

Even when playing game, all Bkis members also showed their “one-for-all” spirit as well as their “all-out effort” just like what they show at work.

Two PGs, Hong Nhung and Nina, also enthusiastically participated in the games with Bkis family.

Success comes as result of solidarity.

Bkis today with more than 500 members.

Mr. Nguyen Tu Quang, Bkis General Director, said in the company’s 8^th birthday celebration: “Eight years after the foundation, Bkis has grown into a solid union with more than 500 members from a 2 member center at the beginning. The Music show and the Game day were held to enhance the solidarity among company’s staff. ”

Bkis

On January 12, 2010, Bkis’ malware monitoring system discovered an email worm propagation campaign. This time, hacker forges Twitter’s invitation. If gullible users open the attached file, their computers will be infected with worm.

Still, familiar solutions work on this case. Accordingly, you must take caution on dealing with suspicious information from the Internet. Do not click on strange links or open unknown attached files, and particularly, you must have your antivirus software updated with the latest version.

Lastest version of Bkav has recognized the worm as W32.Hitwica.Worm

According to our malware analysts, worm also fake Hallmark and Hi5 to generate email which contained malware.

Below is the virus analysis in detailed:

1. Copies file named “nvscv32.exe” to the directory %SysDir%

2. Writes the following value :

“NVIDIA Driver Helper Service1” = “%VRPath%”

to key HKCU\….\Run so that virus can be automatically activated on Windows’ startup.

3. Writes to key

HKLM\SYSTEM\ControlSet001\…..\StandardProfile\AuthorizedApplications\List

to bypass Firewall

4. Sends emails attached with virus file via the following mail servers:

mail.messaging.microsoft

smtp.freenet.am

mail1.freenet.am

mail.gmx.net

mail.lidskialf.net

smtp.styx.cabel.net

smtp.microset.ru

…………..

5. The emails have the following content:

=============================

From     : invitations[at]twitter.com

Subject : Your friend invited you to twitter!

Body     :

“Twitter is a service for friends, family, and co-workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question:

What are you doing?

To join or to see who invited you, check the attachment.”

============================

From     : invitations[at]hi5.com

Subject : Jessica would like to be your friend on hi5!

Body     :

 

“I set up a hi5 profile and I want to add you as a friend so we can share pictures and start building our network.

First see your invitation card I attached!

Once you join, you will have a chance to create a profile, share pictures, and find friends.”

==========================

From     : e-cards[at]hallmark.com

Subject : You have received A Hallmark E-Card!

Body     :

“Hello!

You have recieved a Hallmark E-Card from your friend.

To see it, check the attachment.

There’s something special about that E-Card feeling. We invite you to make a friend’s day and send one.

Hope to see you soon,

Your friends at Hallmark”

Analyst: Nguyen Hoai Cong

We have just received reports from VBB forum administrators about a new round of spamming dispersed via VBB forums.

 

When clicking on the links in the spam post, users will be redirected to the website which has the domain name and the interface similar to those of Google.

Domain name gogopillz.com was registered on Dec 10, 2009 by a person living in Russia. This domain points to a server in US.

Not only gogopillz.com, the spam post also contains dozens of links pointing to other websites that fake Google interface.

Nguyen Thanh Tuan