Another Trojan and web studio
Another post-perturbation.
Today a situation familiar to many happened to me. Call, please help with the computer. The reason is also banal: a link in ICQ, opened it and “everything stopped working”. On the computer is Opera and Doctor Web, because somehow it became uneasy. Painfully cruel beast.
Began to understand. Painfully known “Your system is locked”, please pay money via SMS. Well, yes, now, ran away.
')
Although the post is not about Trojans, I still describe the treatment process, just in case, all of a sudden someone will come in handy. The message was the following: “You are using unlicensed software”, to continue using it, send the message o501om to number 6008.
And yet beauty, I thought, put the pirated Windows, sent SMS and work.
The system did not react to any of my actions. 5 times the cipher did not work, Win + U did not do anything. In general, the previous tips fell away.
Saved the boot in safe mode with command line support, running Explorer and registry editor from this command line. The HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon key was corrected in the registry. The value of the Shell parameter was clearly left. Actually, the path was registered there to a “parasitic” file, which was successfully deleted (along the way, a couple more left-handed files in the windows folder were deleted). Well, it was necessary to return the Shell to its original position. That is, assign the value "Explorer"
The Trojan also prohibited the call to the task manager, which is easily corrected in the HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System branch DisableTaskMgr parameter (set the value to 0).
By the way, Dr.Web (as far as I know) did not suspect anything and didn’t make a sound once.
Duck here I am actually not about that. I was wondering what kind of beast I got. Curiosity took. And now at home, armed with a virtual machine and a firebug, it is useful to understand.
The link was like this:
http: //******/**/chototam.gif
Well yes. Gif Open the hyphae, we immediately see the redirect to
http: //******/**/chototam.gif/,
which in turn gives the title
Content-Disposition: attachment; filename = "foto20.src"
Well, then, the offer to download. We download a nice little file, with the icon of AES EyCiCi 5. I didn’t start up anymore, as the result is known in principle, and there is not enough knowledge in this area to pick one another.
Actually that surprised. Website address: altein.ru. It hurts something familiar. Went cautiously, and look - Bah! - site development Ekaterinburg. This is where I did not expect to see so in such a place. Well, I think, then trust them and then develop sites, if the FTP from your sites is not clear how they are stored. If even from your site can not save.
By the way, the site itself did not contain signs of something bad (although it looked through fluently): neither iframes nor javascripts there. And the most interesting thing is that neither the doctor web, nor the Kaspersky nor cursed either on the site itself, or on the page with the trojan, or on the trojan itself (!), Carefully loaded by me to their sites for review.
So, actually, what I want to say. It became insulting. Even triple. Initially, it became insulting for the fact that there are such goats who send out all sorts of nonsense and insolently ask for money, it is insulting that people are being led to it (and what is their way out if there is no familiar “specialist”?) they make websites, and they make a lot of them, and they themselves are so careless about information and passwords.
For the people hurt. That deception is not only from the “evil hackers”, but also from the seemingly large studio: they make websites, but they themselves ... And they sell well. And they shout that "our sites are the safest blah blah blah." Yeah, there is nowhere safer.
PS Predicting the question. Yes, the letter, with a request to check your site, immediately wrote to that company.
Today a situation familiar to many happened to me. Call, please help with the computer. The reason is also banal: a link in ICQ, opened it and “everything stopped working”. On the computer is Opera and Doctor Web, because somehow it became uneasy. Painfully cruel beast.
Began to understand. Painfully known “Your system is locked”, please pay money via SMS. Well, yes, now, ran away.
')
Although the post is not about Trojans, I still describe the treatment process, just in case, all of a sudden someone will come in handy. The message was the following: “You are using unlicensed software”, to continue using it, send the message o501om to number 6008.
And yet beauty, I thought, put the pirated Windows, sent SMS and work.
The system did not react to any of my actions. 5 times the cipher did not work, Win + U did not do anything. In general, the previous tips fell away.
Solutions
Saved the boot in safe mode with command line support, running Explorer and registry editor from this command line. The HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon key was corrected in the registry. The value of the Shell parameter was clearly left. Actually, the path was registered there to a “parasitic” file, which was successfully deleted (along the way, a couple more left-handed files in the windows folder were deleted). Well, it was necessary to return the Shell to its original position. That is, assign the value "Explorer"
The Trojan also prohibited the call to the task manager, which is easily corrected in the HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System branch DisableTaskMgr parameter (set the value to 0).
By the way, Dr.Web (as far as I know) did not suspect anything and didn’t make a sound once.
And what's inside?
Duck here I am actually not about that. I was wondering what kind of beast I got. Curiosity took. And now at home, armed with a virtual machine and a firebug, it is useful to understand.
The link was like this:
http: //******/**/chototam.gif
Well yes. Gif Open the hyphae, we immediately see the redirect to
http: //******/**/chototam.gif/,
which in turn gives the title
Content-Disposition: attachment; filename = "foto20.src"
Well, then, the offer to download. We download a nice little file, with the icon of AES EyCiCi 5. I didn’t start up anymore, as the result is known in principle, and there is not enough knowledge in this area to pick one another.
Verdict
Actually that surprised. Website address: altein.ru. It hurts something familiar. Went cautiously, and look - Bah! - site development Ekaterinburg. This is where I did not expect to see so in such a place. Well, I think, then trust them and then develop sites, if the FTP from your sites is not clear how they are stored. If even from your site can not save.
By the way, the site itself did not contain signs of something bad (although it looked through fluently): neither iframes nor javascripts there. And the most interesting thing is that neither the doctor web, nor the Kaspersky nor cursed either on the site itself, or on the page with the trojan, or on the trojan itself (!), Carefully loaded by me to their sites for review.
So, actually, what I want to say. It became insulting. Even triple. Initially, it became insulting for the fact that there are such goats who send out all sorts of nonsense and insolently ask for money, it is insulting that people are being led to it (and what is their way out if there is no familiar “specialist”?) they make websites, and they make a lot of them, and they themselves are so careless about information and passwords.
For the people hurt. That deception is not only from the “evil hackers”, but also from the seemingly large studio: they make websites, but they themselves ... And they sell well. And they shout that "our sites are the safest blah blah blah." Yeah, there is nowhere safer.
PS Predicting the question. Yes, the letter, with a request to check your site, immediately wrote to that company.
Source: https://habr.com/ru/post/69975/
All Articles