Virus offering

[Sunny Chakraborty]

Hi Guys

I have been working on some virus issues off late in my day job.

I am not sure if I should do this, but i am offering a copy of this virus in a ZIP file, before I clean it up.

Virus details:

http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/

Characteristics:

Gets activated on logon.

Gives you a page (probably flash) and you cant move past it.

Task manager is disabled.

If you try to scan the system with malaware bytes, it detects the scan and terminates it.

It bypassed Trendmicro with latest definitions.

Reason this is interesting.

It doesnt launch from all the normal places, which you can fix by Autoruns Utility.

No HKLM\...\Run or \RunEx etc.

No temp file path, but it could be hiding under other profiles.

Disables ping, firewall, all remote access options.

If you try to ping the box, you dont see it. But it will get it's IP from DHCP and will connect to internet.

I am not sure if it has its own DNS server, I didnt check that.

It has some interesting hooks to windows apart from disabling CTRL+ALT+DEL and not allowing Explorer to load on logon.

It has hooks to video camera.

Disables Networking component and Ping.

I am working on the book, and notes and powershell stuff and wont have time to investigate this as much as I want to.

So if anyone is interested, I can take a copy of the virus and dump it on Google Docs

Use at your own risk :)