Spam Using Japan Disaster Spreads Ransomware

According to Nicolas Brulez, researcher at Kaspersky Lab the IT security company, a spam campaign is ongoing that utilizes the subject of Japan's recent natural disaster for contaminating users with a ransomware payload the company has identified as Trojan-Ransom.Win32.PornoBlocker.jtg.

Worryingly, when Trojan-Ransom.Win32.PornoBlocker.jtg is planted on a target machine, it creates obstacles for the user to operate the computer as also a bogus alert gets exhibited asserting that there's child porn on his system.

Evidently, the alert poses as a message from the German Federal Police (GFP) as also tells the user that he's supposed to make a payment of Euro100 in fine before the expiry of 24-hrs otherwise his computer's hard-drive would be wiped off clean. The message also tells that the payment must be made through Ukash that requires users to use pre-paid cards wherein every card carries a distinct code. Naturally, for cyber-criminals this particular mode-of-payment is very effective as nobody would be able to trace or undo it. Softpedia.com published this in news on March 24, 2011.

Moreover, for making the alert more credible, the message exhibits the logos that Kaspersky Lab, Symantec, Microsoft and McAfee use along with the logo GFP uses.

Elaborates Brulez, the spoofed web-page of GFP in reality is one HTML implanted on the malicious code. Once run, the code opens one fresh window containing attributes that enables it to remain on top of any other active window.

Essentially with the freshly-opened window, the html document's content gets displayed via the OLE as well as the browser control. Thereafter, another malware develops that stops Task Manager as well as disables Windows Explorer. Immediately preceding that, the malware compromises Windows shell of default within the registry-unlocking codes, as also it substitutes explorer.exe. Subsequently, it stops taskmgr.exe from running while disables explorer.exe too after each 100ms so that user-interaction gets blocked. Securelist.com published this on March 24, 2011.

Remarked specialists on computer-safety, the above programs were proceeding to evolve rogueware while also getting more-and-more widespread. Instances had arisen when malware variants were just not possible to eliminate since by using uncrackable algorithms, they locked all documents from decrypting. Softpedia.com reported this.

Related article: Spam Scam Bags a Scottish Connection

» SPAMfighter News - 4/5/2011