Topic: PCs

New ransomware variant uses false child porn accusations

Summary: Researchers from BitDefender have detected a new ransomware variant currently spreading in the wild.

By Dancho Danchev for Zero Day | September 14, 2011 -- 05:54 GMT (22:54 PDT)

Researchers from BitDefender have detected a new ransomware variant currently spreading in the wild.

Once Trojan.Agent.ARVP locks down the infected PC, it displays a message saying that the PC is locked due to the fact that child pornography was found on the user’s system and the fine of 500 rubles must be paid within 12 hours. The Task Manager, Windows Explorer and User Init Logon Application are either killed or overwritten by the trojan in an attempt to prevent users from killing it.

The scammers says the user must pay within 12 hours or the “child-porn” case will be forwarded to the local police and all data stored on the personal computer will be blocked or deleted, the operating system uninstalled and the BIOS erased.

In reality, the data will still be there and the BIOS will not be affected after the 12-hour deadline passes. But the PC will remain locked. Paying the ransom will not unlock it. In-depth analysis of the malware revealed that there is no way to unlock the PC, so the promise of a code is false.

The malware is currently spreading over links distributed over social networks. Users are advised to be extra vigilant when dealing with suspicious links.

Topics: PCs, Hardware, Malware, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments

Log in or register to join the discussion

Find the people who released this

and execute them.

Dr_Zinj
14 September, 2011 09:31

Reply Vote
- RE: Find the people who released this and execute them.
  
  @Dr_Zinj
  
  Absolutely!
  
  When doing so, it is important to use a .50 cal round <i>right between the eyes.</i>
  
  fatman65536
  14 September, 2011 10:00
  
  Reply Vote
  - I don't think that's necessary,
    
    @fatman65536 , at close range a .22 or a 9mm can be just as effective with much less cost and mess.
    
    Muzhik1
    14 September, 2011 11:18
    
    Reply Vote
Only half the story...

So, you didn't tell us if "Safe Mode" is still available and IF any of the common antivirus or antimalware programs will remove it.
Also, does it affect System Restore and a users capability of going back to before they got this nasty bug?

rwbyshe@...
14 September, 2011 12:20

Reply Vote
- The story is there.
  
  @rwbyshe@... "In-depth analysis of the malware revealed that there is no way to unlock the PC". Translated: you're hosed. Hope you've got a good backup.
  
  dumptux
  14 September, 2011 17:27
  
  Reply Vote
- Brains here please...
  
  @rwbyshe@...
  
  If the article is correct, and for the sake of argument I am going to assume it is...the article says the computer is "locked down". If you don't know what that means, I understand your questions, but, if you do know what "locked down" means then why are you asking about going into safe mode or using system restore?
  
  I do agree that if you can reboot into safe mode then its not an absolute lockdown by any means. And one would expect there is no reason you couldn't then use system restore if the machine is functional in safe mode and of course the author should have mentioned that without a doubt. Its a huge game changer if thats the case obviously.
  
  Cayble
  16 September, 2011 11:37
  
  Reply Vote
  - Better yet, use a live CD
    
    @Cayble: Safe Mode is a good idea if it works, but I'd go for a live CD instead--that way you're assured the malware isn't running when you copy your data off to an external hard drive or what have you. Best tool for the job is probably the Ultimate Boot CD For Windows, though a live Linux disk would also work.
    
    LeonBA
    4 October, 2011 16:53
    
    Reply Vote