You steal music I lock your pc [Ransomware]

www.malwareremovalguides.info/you-steal-music-i-lock-your-pc-ransomware

 

Hi,

Indeed, for now there is no solution because the lack of information and samples for testing and reversing the malware.

On my Dutch forums I have now two active threads.
http://www.pcwebplus.nl/phpbb/viewtopic.php?f=206&t=10231
http://www.pcwebplus.nl/phpbb/viewtopic.php?f=206&t=10229

- Booting from a CD or USB-stick is not possible.
- Entering the BIOS is also not possible.

So it looks like the BIOS is overwritten.

regards,

Maxstar

 

a freind of mine who is a tech in ny got this call this morning. a client who is german and has friends in the netherlands called and said he has a weird message this morning. asked if he could come out immediately so he did. this is the exact image on his screen.

he is a big torrent user and my friend as well as myself have explained to him many times the risks involved. he runs a bitdefender by his choice, alongside malwarebytes he said no warnings from either.

at this time he can not enter the bios at all. swapped drives (before we saw this) no luck. the only thing he has yet to try is new ram because he did not bring any not thinking this was a ram issue. he has his system now in hand and will be looking at this today and tomm. he is also going to pull the bios chip totally and see if that will allow a clearing of the cmos which he said he already tried while the chip was still on the board and no luck.

will keep this posted with any info he gives me.

what i dont see is how this could possibly flash the bios. being all the different types of bios' imo there is no way one file could be used on all types and many bios' include a check to make sure the name and file matches before even allowing it to be flashed. this includes almost all oem and many even after market motherboards like asrock etc. so im hoping this is something that is maybe held in memory or that it simply somehow (which again imo would be near impossible to include every variant of bios out there) simply erased it. the question is how it could have locked the bios unless its simply fully erased and needs the bios chip pulled to be re-flashed.

anyway im going to spend some time on the phone later today to see if we can get to figure out whats going on. he will also (if he can find it on there) send me the sample of the file to which i can actually open the file and see the code and we will send it to every av company we can find. i actually though he was joking at first when he told me about it till i can here and read this. we now know this is not only in the netherlands. or maybe comes from a source there.

also here is a yahoo post for the same virus: http://answers.yahoo.com/question/index?qid=20130629154918AAVO6rQ

 

Wow looks insane.

 

I think it's awesome. Poetic justice.

 

I totally agree. Stealing is stealing, and Karma's a ~ Snipped as per TOS ~. Don't steal, don't get computer locked.....There's all the signature updates you need.

 

And do you honestly think that this nasty is only going to affect people who illegally download? Not for much longer it's going to be everywhere. ~ Removed Off Topic Remarks ~

 

For all we know this could have been created by a Copyright organization or a Government. What I want to know is which AV's are detecting this threat, and how many variations of this threat there might be in the wild. I definitely would not want to be compromised by this threat. It sounds like a major pain in the you know what to deal with! From a threat research point of view it would make one's mouth water to obtain samples of this threat. The damage it is able to do is quite impressive.

 

I agree with Zeroday. Technology such as computer science should not be held back because of illegal downloading of music, videos, software etc.. The people doing the downloading, and uploading should be held responsible. Can you imagine what our civilization will look like 20-50 years from now? At the rate technology is growing we could live in a world something like Star Wars lol

 

We could be living in a world straight out of a science fiction book.
Or it could be the utopia of sir thomas more.
Even the pantisocracy of samuel taylor coleridge.

Still we can only imagine what the world will be like in 50 years time but whatever it will be,it will be of our own making.

 

I agree with Amiga

 

so far in scanning the hard drive out of the system he said not one av is detecting it. he has scanned the drive with norton, eset, avira, avast, dr web, bitdefender, webroot, gdata, fsecure, panda, avg, emsisoft, vipre, mcafee, comodo, ikarus, kaspersky, trend, fortinet among others. some other threats were found by a few of the scanners but not this one not by one av yet at all. every av was set to the highest it could be and set to scan the entire drive in depth where possible. the file has to be there somewhere unless it somehow deletes itself and then fully removes the file like when using a shredder or something. he is carefully going through the whole drive now manually to see whats there.

he will be swapping ram here in a bit on the system to see if somehow its stored in memory.

this is a VERY nasty virus and i sure hope no one gets this even those who DO download music or whatever. there is no reason someone should have the computer actually destroyed because they downloaded a file or song a fine or other yes sure even have the internet cut off etc but no one should have their whole system locked out like this. its bs imo. if we can find what actually caused this we will 100% alert every av company i know of asap. he will be mailing me the drive if he cant find anything. also going through the browsing history to try to locate if it came from a website as well.

 

It will be interesting to see how long it takes for everyone's choice of AV's to detect this threat. Zfactor intends to send a sample if he can can obtain one. The sooner the better before it's so wide spread that it causes major losses to Private Users, Small Businesses, Corporations, Government, etc.. Something like this could really go far beyond the user at home. There's potential for major losses. Does anyone know if any samples have been submitted yet to any of the AV companies or Virustotal? I would say some of the AV companies have already managed to obtain their own sample.

 

I could not agree with you more and i sincerely hope all the major security vendors have a definition for this one but the real danger is what other variants are in the wild like cutting edgetech has said.
This one is really nasty and it is infecting firmware.

 

problem is if the file removes itself somehow even using programs to restore deleted files may not find it. im speaking with him now and he will be mailing me the drive for further investigation tomm via overnight delivery. he was protected by bitdefender, malware bytes and webroot also i just found out. i would have guessed one of them would have been triggered by something trying to gain admin control to do anything to the bios. bitdefender especially usually has a very high detection rate i give them credit for sure when it comes to that.

also here is a pic for those that want to see what the screen looks like up close. this is not my picture but one we found and he asked the client to verify it and they said yes its the same picture he saw:

http://i.imgur.com/HES3XIG.jpg

 

BIOS rootkits have been written that work on most BIOS firmware from a given vendor, so it's not out of the question. And this is much easier - it's not intended to hide itself, all it does is effectively brick the machine.

The upside is that it should need full admin privileges to do this. That said, local privilege escalation exploits are a dime a dozen on any OS, AFAIK.

 

That's a pretty poor ASCII ANSI drawing you're left with.
Desktop users with a second bios eeprom can probably easily redeem themselves but with a notebook you could really end up with a very expensive paperweight.
If confirmed to be real (and it really seems so, just that there are relatively so few infections posted), like member zfactor I wonder what bios it affects. Aword bios again?

 

This may affect people who are not "stealing". It is more convenient and quicker for me to download the music than finding the CD and ripping it, particularly if I want the music on my netbook, which has no CD/DVD drive.

 

First report i saw was a system with MSI K9AGM2 mainboard, AMI bios.

 

i deal with and edit bios' all the time to unlock things, add features add cpu codes etc, he is sending me the hard drive and the motherboard, ram etc. i have much more experience in this so i should have everything by tues. the client has simply decided to replace the motherboard / hard drive at this time. this is a asrock motherboard i will know which bios later tonight.

 

I also wonder if there's a signature/name in the lower left corner...

http://oi43.tinypic.com/4qg22r.jpg

 

could be but without a real clear close up its hard to see exactly whats there.

 

This is as fascinating as it is scary, can't wait to hear more about it.

This was one of my first thoughts too. Rope 'em Stuxnet style!