Recovery of the OS after the ransomware virus
My best friend brought me a look at a netbook on which the viruses strolled severely, and asked for help in cleaning the system from the zoo. For the first time I saw with my own eyes a funny branch in the development of malware: “extortionists”. Such programs block some of the functions of the operating system and require sending an SMS message to obtain an unlock code. The treatment was not entirely trivial, and I thought that maybe this story would save someone a few nerve cells. I tried to provide links to all sites and utilities that were needed during the treatment.
In this case, the virus posed as an Internet Security antivirus program and required sending SMS K207815200 to the number 4460. The Kaspersky Lab website has a page allowing you to generate response codes to the “extortionists”: support.kaspersky.com/viruses/deblocker
A page with detailed recommendations on combating extortionists is available at DrWeb: www.drweb.com/unlocker/index/?lng=ru
')
However, after the introduction of the code, the OS functions remained blocked, and the launch of any antivirus program led to the instant opening of the virus window, which diligently emulated the work of the antivirus:
Attempts to boot into safe modes led to exactly the same result. Also, it was complicated by the fact that the passwords for all administrator accounts were empty, and the entrance to the computer over the network for administrators with an empty password was, by default, obscured by policy.
I had to boot from a USB Flash disk (in a netbook, by definition, there is no disk drive). The easiest way to make a bootable USB drive:
1. Format the disk in NTFS
2. Making the partition active (diskpart -> select disk x -> select partition x -> active)
3. Use the \ boot \ bootsect.exe utility from the Vista / Windows 2008 / Windows 7 distribution: bootsect / nt60 X: / mbr
4. Copy all distribution files (I had a Windows 2008 distribution on hand) onto a usb disk. Everything can be loaded.
Since we do not need to install the OS, but to disinfect viruses, we copy a set of free lechilok ( AVZ , CureIt ) and auxiliary utilities (looking ahead, I needed Streams from Mark Russinovich) and Far to disk. Reboot the netbook, in BIOS we set the boot from USB.
Windows 2008 installation program is loaded, we agree with the choice of language, Install now and then press Shift + F10. A command prompt window appears from which we can launch our anti-virus tools and search for infection on the system disk. Then I ran into difficulty, CureIt dropped the system into the blue screen of death and cursed the error of working with NTFS, but AVZ, although it worked, could not find anything. Apparently the virus is very, very fresh. The only clue is the AVZ's message that the executable code was found in an additional NTSF stream for one of the files in the Windows directory. It seemed strange and suspicious to me, since the additional NTFS streams are used in very specific cases and nothing executable there should be stored on normal machines.
So I had to download the Streams utility (http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx) from Mark and delete this stream. Its size was 126464 bytes, just like the dll-files that the virus decomposed into flash drives inserted into the system.
After that, I used Far to scan the entire system disk for files of the same size and found another 5 or 6 suspicious files created in the last 2-3 days. They have also been removed. After that, CureIt was able to work (apparently he stumbled on additional threads) and successfully cleared two more Trojans :)
After the reboot, everything worked, the additional antivirus scanner runs did not find anything. With the help of AVZ, policies restricting OS functions were restored. A strict suggestion was made to a friend about the importance of using antivirus software, especially since there are a lot of free ones ( Security Essentials , which I use myself on home machines, Avast Home Edition , which is also very nice to me.
Upd: finally got around to transfer to the thematic blog.
In this case, the virus posed as an Internet Security antivirus program and required sending SMS K207815200 to the number 4460. The Kaspersky Lab website has a page allowing you to generate response codes to the “extortionists”: support.kaspersky.com/viruses/deblocker
A page with detailed recommendations on combating extortionists is available at DrWeb: www.drweb.com/unlocker/index/?lng=ru
')
However, after the introduction of the code, the OS functions remained blocked, and the launch of any antivirus program led to the instant opening of the virus window, which diligently emulated the work of the antivirus:
Attempts to boot into safe modes led to exactly the same result. Also, it was complicated by the fact that the passwords for all administrator accounts were empty, and the entrance to the computer over the network for administrators with an empty password was, by default, obscured by policy.
I had to boot from a USB Flash disk (in a netbook, by definition, there is no disk drive). The easiest way to make a bootable USB drive:
1. Format the disk in NTFS
2. Making the partition active (diskpart -> select disk x -> select partition x -> active)
3. Use the \ boot \ bootsect.exe utility from the Vista / Windows 2008 / Windows 7 distribution: bootsect / nt60 X: / mbr
4. Copy all distribution files (I had a Windows 2008 distribution on hand) onto a usb disk. Everything can be loaded.
Since we do not need to install the OS, but to disinfect viruses, we copy a set of free lechilok ( AVZ , CureIt ) and auxiliary utilities (looking ahead, I needed Streams from Mark Russinovich) and Far to disk. Reboot the netbook, in BIOS we set the boot from USB.
Windows 2008 installation program is loaded, we agree with the choice of language, Install now and then press Shift + F10. A command prompt window appears from which we can launch our anti-virus tools and search for infection on the system disk. Then I ran into difficulty, CureIt dropped the system into the blue screen of death and cursed the error of working with NTFS, but AVZ, although it worked, could not find anything. Apparently the virus is very, very fresh. The only clue is the AVZ's message that the executable code was found in an additional NTSF stream for one of the files in the Windows directory. It seemed strange and suspicious to me, since the additional NTFS streams are used in very specific cases and nothing executable there should be stored on normal machines.
So I had to download the Streams utility (http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx) from Mark and delete this stream. Its size was 126464 bytes, just like the dll-files that the virus decomposed into flash drives inserted into the system.
After that, I used Far to scan the entire system disk for files of the same size and found another 5 or 6 suspicious files created in the last 2-3 days. They have also been removed. After that, CureIt was able to work (apparently he stumbled on additional threads) and successfully cleared two more Trojans :)
After the reboot, everything worked, the additional antivirus scanner runs did not find anything. With the help of AVZ, policies restricting OS functions were restored. A strict suggestion was made to a friend about the importance of using antivirus software, especially since there are a lot of free ones ( Security Essentials , which I use myself on home machines, Avast Home Edition , which is also very nice to me.
Upd: finally got around to transfer to the thematic blog.
Source: https://habr.com/ru/post/81842/
All Articles