Security Another story about the battle against Trojan-Ransom
The immediate sketch on the theme "My security is in my hands." In this article the author describes in detail the cure system procedure for malware Trojan-Ransom.Win32.Chameleon. It is very topical and useful lesson.
At this time I will narrate about Trojan-Ransom.Win32.Chameleon.
After computer restarting the following message is displayed:
The translated text appears as follows:
Warning! Online scan of the computer showed that your system is infected. The malicious program infects gradually all the files on your computer. The virus is temporarily locked, but its encryption algorithm varies. You need know the encryption algorithm of the virus at this moment to remove it. For it you should to send the sms with following text 7488004 to the number 8353. After sending you receive the key that disables the virus. Enter the key and the program will remove the virus.
The encryption algorithm will change after 175 seconds (after this time you need to remove it).
The Trojan even dares mention about Kaspersky Lab:
The translated text appears as follows:
Kaspersky Lab: Warning! The encryption algorithm of virus has changed. It is recommended to remove it.
While the user is thinking about the following actions the Trojan prevents Task Manager from being launched and close all the windows opened by user.
The Trojan copies its body into the Windows system directory under the name "user32.exe" and change the link in the key to ensure that it is run instead of the Explorer.exe:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
from
to
And now we are faced with the usual anti-virus dilemma: what do you need to do with the file, if the operating system will become non-functional in its absence?
By the time of infection the situation in the operating system is following: Explorer does not start, instead it the malicious file will then be launched for execution. If you remove the Trojan in this situation (all antivirus program do it), the problem will not be solved. Yes, we will get rid of malicious file, but the system is non-functional as before, because Explorer will be not run and Task Manager is still blocked.
How to solve the problem? It is need to use Live CD. If you do not have it, download and write it. I choose Ubuntu, but you can choose any software distribution that supports NTFS.
Reboot the infected machine and boot from the disc. The following steps are:
Go to the analogue of the "My Computer":
Then we go to the system drive. If you do not know what drive is the system, should change everything until you find the directories "Windows" and "Program Files" specific to the system drive:
When the system section is founded following the above path "WINDOWS \ system32". Here we find the file User32.exe and remove it.
WARNING! There are also User.exe and User32.dll, but we remove only the User32.exe file.
And now you probably ask the question: "Why this solution is better than that offers anti-virus software?" It is better because we control the situation and not dwell on our laurels.
Then we have the following problem: the link in the system registry continues lead to the Trojan file that is now still does not exist. There are no special means designed to edit the Windows registry files in Ubuntu (and other distributions). And it is no wonder because there is no registry in Linux OS.
The solving as in old saying: "If the mountain will not come to Muhammad, then Muhammad must go to the mountain." If we can not change the link, then change the file!
Jump into one level higher in the "WINDOWS" from the "WINDOWS \ system32", we find there explorer.exe file and copy it:
And then put it in the place of deleted file User32.exe, not forgetting to rename accordingly:
Then we need to restart the system:
And the following message is displayed:
After system restart we can see own desktop:
And the usual tools that will allow to restore the Task Manager and the registry key values:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
from
to
And using the tools we can also find the original Trojan file. However, the last action can be performed by antivirus.
Another story about the battle against Trojan-Ransom
