Offered for opening fresh vinloker
My wife recently caught a winlocker. With the help of some mother, I managed to gain control of the computer and remove it. After checking the winlocker on the Kaspersky site, I learned that it appeared in Kaspersky databases today. Nothing is known about him yet.
What I know:
This virus for subscribers of Beeline asks to send to the number 3116 text 79626806360 600, for subscribers of Megaphone: to the number 84444 text 9626806340.
Or pay through the terminal 600 rubles to the number 89626806359.
')
On which site the virus is slandered, I can’t say now. My wife was looking for examples of PowerPoint presentations.
The file itself was caught through IE8. In the temporary folder, it is saved as calc.exe. With the icon of Winrar, and the description of the executable like that of Winrar. After starting the file in the% WINROOT% directory, it creates a batch file (RUNDLL.bat) and an executable file (a copy of calc.exe, but this time with the name nvcvc32.exe), specifies explorer.exe as the shell and passes the path to rundll.bat.
Unfortunately, the print screen in time did not occur.
At the moment, the file was sent to the drweb, called the beeline, informed the numbers.
What would you like now: I do not know how to open files, I ask someone to investigate the winlocker, and then write an interesting topic on the Habré :)
Link to file: Winrar archive with password . Password: virus
What I know:
This virus for subscribers of Beeline asks to send to the number 3116 text 79626806360 600, for subscribers of Megaphone: to the number 84444 text 9626806340.
Or pay through the terminal 600 rubles to the number 89626806359.
')
On which site the virus is slandered, I can’t say now. My wife was looking for examples of PowerPoint presentations.
The file itself was caught through IE8. In the temporary folder, it is saved as calc.exe. With the icon of Winrar, and the description of the executable like that of Winrar. After starting the file in the% WINROOT% directory, it creates a batch file (RUNDLL.bat) and an executable file (a copy of calc.exe, but this time with the name nvcvc32.exe), specifies explorer.exe as the shell and passes the path to rundll.bat.
Unfortunately, the print screen in time did not occur.
At the moment, the file was sent to the drweb, called the beeline, informed the numbers.
What would you like now: I do not know how to open files, I ask someone to investigate the winlocker, and then write an interesting topic on the Habré :)
Link to file: Winrar archive with password . Password: virus
Source: https://habr.com/ru/post/112378/
All Articles