Jump to content

Chinese Ransomlock malware changes Windows Login


Recommended Posts

http://forums.whatthetech.com/index.php?showtopic=108882&st=45&&do=findComment&comment=825668

 

FYI...

 

Chinese Ransomlock malware changes Windows Login Credentials

- http://www.symantec.com/connect/blogs/chin...gin-credentials

21 Aug 2013 - "... new type of ransomlock malware that not only originates from China but also uses a new ransom technique to force users into paying to have their computers unlocked. This threat is written in Easy Programming Language and is spread mostly through a popular Chinese instant messaging provider. Once a computer is compromised, the threat changes the login credentials of the current user and restarts the system using the newly created credentials. The login password is changed to tan123456789 (this was hardcoded in the sample we acquired) but the malware author may update the threat and change the password. The account name is changed to contact [iM ACCOUNT USER ID] if you want to know the password (English translation) so that once the computer has restarted, and the user is unable to log in, they will see the account name/message and contact the user ID in order to get the new password.

Login screen with changed account name after system restart

> https://www.symantec.com/connect/sites/defa...igure1_Edit.png

If the victim contacts the provided user ID, who is more than likely the malware author, they will see a statement on the profile page asking for approximately 20 Chinese Yuan (US$3.25). The statement says that the login password will be sent as soon as the money is received and that if the malware author is pestered by the user they will be blocked. Symantec detects this threat as Trojan.Ransomlock.AF. For users already infected with this threat, there are several ways to restore system access:

1. Use password tan123456789 to log into the system and reset the password (as mentioned before, this might -not- always work as the password may be changed by the malware author)

2. Use another administrator account to log into the system and reset the password

3. If your current account is not a super administrator account, enter safe mode and log in as super administrator and then reset the password

4. Use Windows recovery disk to reset the password."

 

:ph34r: <_<

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...