The idea to use pending file rename operations had come into my mind when I searched for another way to humiliate the Trojan-ransoms. Consider the example of Trojan-Ransom.Win32.PogBlock.xg
The Trojan blocks the system and will cause the following message to be displayed:
The translated text appears as follows:
This is the notice of need to pay. You had free trial (one hour) access to viewing an erotic video. According to the user agreement you have to pay the full monthly access. This notice will be displayed until the payment is made. You need to send the sms with following text 590110998 to the number 9691 in order to pay. Enter received code.
Attention! Refusal of payment may cause any harm to a computer and the loss of important information.
On the one hand, almost the entire screen is blocked, but on the other - Internet Explorer is running, as evidenced by the presence of the “Start” menu.
A detailed study of malware showed that it infects files as follows:
1. The Trojan extracts an executable file from its body and places this file in the current user's Windows temporary folder.
2. In addition, the Trojan extracts malware library in the same folder.
3. In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan registers its executable file in the system registry:
Experienced malware analyst will smile and say: “The Trojan will not be launched if the computer is rebooted in Safe Mode”. And he will be right. But we want to use an unusual way.
The self-defense mechanism of Trojan is as follows. The executable file displays the notice of need to pay. This file injects the code into all processes running from the library. This code ensures that an executable file is running, and if it does not detect the malicious process, runs it. Thus, simply terminating the Trojan process is not enough. The Trojan constantly tracks the key startup and restores it in case of removal. You can not delete the malicious executable file and the library, because they are constantly running.
It is the time to remember the pending file rename operations:
In the system registry (starting from Windows 2000) we can create in the key
parameter
This parameter provides the presence of two lines: in the first – the name of the file that must be renamed, in the second - the new name. If the second string is not specified, the file will simply be deleted. All this happens at a very early stage of boot, until autorun is triggered.
In this case the filename must be specified with a full path, adding the two question marks in a backslash. In our case, the path to the malicious file looks like this:
But the question arises: "How to write it in the system registry, if the entire screen is blocked by a notice of ransom?"
The autorun will help us!
As it was said before - Internet Explorer is running and it means the autorun will be activated. (of course, if you do not disable it).
You can use a USB drive or burn a disc. The autorun.inf should be written on removable media and had such content:
On the same removable media the bat should be placed, which in current example called "run.bat". The console command to work with the system registry should be written in this file:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" - add in specified key.
/v PendingFileRenameOperations – the variable.
/t REG_MULTI_SZ – the type of variable is "multiline". Simply put - a few lines.
/d "\??\C:\Documents and Settings\test\Local Settings\Temp\userwgkg.exe\02" - data: lines that are separated by a character "\ 0". 2 (is that the file userwgkg.exe should be renamed on). There could be anything.
/F - do not ask for confirmation.
Insert the USB flash drive/disk into an infected computer. Reboot and get a normal desktop:
And the renamed Trojan and not running are placed in the current user's Windows temporary folder, we can continue to play with them:
All this, of course, possible only after a detailed study of the Trojan, but the basic idea as follows: you can use the pending file rename key to delete/rename the Trojan. This key can be automatically created using the same technology as used by the autorun-worms.
Again about Trojan-ransom
