You steal music I lock your pc [Ransomware]

Discussion in 'malware problems & news' started by Maxstar, Jun 30, 2013.

Thread Status:
Not open for further replies.
  1. Maxstar

    Maxstar Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    6
    www.malwareremovalguides.info/you-steal-music-i-lock-your-pc-ransomware
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    This is both scary and questionable.

    If you read the instructions for flashing the bios, the first thing needed is to identify the make and model. So the exe that flashes would have to be able to determine this. But maybe all it does is erase the bios and install the simple picture.

    From the links no solution appears to be found yet.

    Pete
     
  3. Maxstar

    Maxstar Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    6
  4. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,102
    Location:
    on my zx10-r
    a freind of mine who is a tech in ny got this call this morning. a client who is german and has friends in the netherlands called and said he has a weird message this morning. asked if he could come out immediately so he did. this is the exact image on his screen.

    he is a big torrent user and my friend as well as myself have explained to him many times the risks involved. he runs a bitdefender by his choice, alongside malwarebytes he said no warnings from either.

    at this time he can not enter the bios at all. swapped drives (before we saw this) no luck. the only thing he has yet to try is new ram because he did not bring any not thinking this was a ram issue. he has his system now in hand and will be looking at this today and tomm. he is also going to pull the bios chip totally and see if that will allow a clearing of the cmos which he said he already tried while the chip was still on the board and no luck.

    will keep this posted with any info he gives me.

    what i dont see is how this could possibly flash the bios. being all the different types of bios' imo there is no way one file could be used on all types and many bios' include a check to make sure the name and file matches before even allowing it to be flashed. this includes almost all oem and many even after market motherboards like asrock etc. so im hoping this is something that is maybe held in memory or that it simply somehow (which again imo would be near impossible to include every variant of bios out there) simply erased it. the question is how it could have locked the bios unless its simply fully erased and needs the bios chip pulled to be re-flashed.

    anyway im going to spend some time on the phone later today to see if we can get to figure out whats going on. he will also (if he can find it on there) send me the sample of the file to which i can actually open the file and see the code and we will send it to every av company we can find. i actually though he was joking at first when he told me about it till i can here and read this. we now know this is not only in the netherlands. or maybe comes from a source there.

    also here is a yahoo post for the same virus: http://answers.yahoo.com/question/index?qid=20130629154918AAVO6rQ
     
  5. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Wow looks insane.
     
  6. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,854
    I think it's awesome. :D Poetic justice.
     
  7. DBone

    DBone Registered Member

    Joined:
    Nov 24, 2010
    Posts:
    1,041
    Location:
    SoCal USA
    I totally agree. Stealing is stealing, and Karma's a ~ Snipped as per TOS ~. Don't steal, don't get computer locked.....There's all the signature updates you need.
     
    Last edited by a moderator: Jun 30, 2013
  8. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    716
    Location:
    UK
    And do you honestly think that this nasty is only going to affect people who illegally download? Not for much longer it's going to be everywhere. ~ Removed Off Topic Remarks ~
     
    Last edited by a moderator: Jun 30, 2013
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    For all we know this could have been created by a Copyright organization or a Government. What I want to know is which AV's are detecting this threat, and how many variations of this threat there might be in the wild. I definitely would not want to be compromised by this threat. It sounds like a major pain in the you know what to deal with! From a threat research point of view it would make one's mouth water to obtain samples of this threat. The damage it is able to do is quite impressive.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I agree with Zeroday. Technology such as computer science should not be held back because of illegal downloading of music, videos, software etc.. The people doing the downloading, and uploading should be held responsible. Can you imagine what our civilization will look like 20-50 years from now? At the rate technology is growing we could live in a world something like Star Wars lol
     
  11. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    We could be living in a world straight out of a science fiction book.
    Or it could be the utopia of sir thomas more.
    Even the pantisocracy of samuel taylor coleridge.

    Still we can only imagine what the world will be like in 50 years time but whatever it will be,it will be of our own making.:)
     
  12. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    102,798
    Location:
    U.S.A.
    Removed Off Topic Posts. Wilders is an English speaking forum. Let's keep it that way. Thank you!
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I agree with Amiga:thumb:
     
  14. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,102
    Location:
    on my zx10-r
    so far in scanning the hard drive out of the system he said not one av is detecting it. he has scanned the drive with norton, eset, avira, avast, dr web, bitdefender, webroot, gdata, fsecure, panda, avg, emsisoft, vipre, mcafee, comodo, ikarus, kaspersky, trend, fortinet among others. some other threats were found by a few of the scanners but not this one not by one av yet at all. every av was set to the highest it could be and set to scan the entire drive in depth where possible. the file has to be there somewhere unless it somehow deletes itself and then fully removes the file like when using a shredder or something. he is carefully going through the whole drive now manually to see whats there.

    he will be swapping ram here in a bit on the system to see if somehow its stored in memory.

    this is a VERY nasty virus and i sure hope no one gets this even those who DO download music or whatever. there is no reason someone should have the computer actually destroyed because they downloaded a file or song a fine or other yes sure even have the internet cut off etc but no one should have their whole system locked out like this. its bs imo. if we can find what actually caused this we will 100% alert every av company i know of asap. he will be mailing me the drive if he cant find anything. also going through the browsing history to try to locate if it came from a website as well.
     
    Last edited: Jun 30, 2013
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    It will be interesting to see how long it takes for everyone's choice of AV's to detect this threat. Zfactor intends to send a sample if he can can obtain one. The sooner the better before it's so wide spread that it causes major losses to Private Users, Small Businesses, Corporations, Government, etc.. Something like this could really go far beyond the user at home. There's potential for major losses. Does anyone know if any samples have been submitted yet to any of the AV companies or Virustotal? I would say some of the AV companies have already managed to obtain their own sample.
     
    Last edited: Jun 30, 2013
  16. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    I could not agree with you more and i sincerely hope all the major security vendors have a definition for this one but the real danger is what other variants are in the wild like cutting edgetech has said.
    This one is really nasty and it is infecting firmware.
     
  17. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,102
    Location:
    on my zx10-r
    problem is if the file removes itself somehow even using programs to restore deleted files may not find it. im speaking with him now and he will be mailing me the drive for further investigation tomm via overnight delivery. he was protected by bitdefender, malware bytes and webroot also i just found out. i would have guessed one of them would have been triggered by something trying to gain admin control to do anything to the bios. bitdefender especially usually has a very high detection rate i give them credit for sure when it comes to that.

    also here is a pic for those that want to see what the screen looks like up close. this is not my picture but one we found and he asked the client to verify it and they said yes its the same picture he saw:

    http://i.imgur.com/HES3XIG.jpg
     
    Last edited: Jun 30, 2013
  18. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    BIOS rootkits have been written that work on most BIOS firmware from a given vendor, so it's not out of the question. And this is much easier - it's not intended to hide itself, all it does is effectively brick the machine.

    The upside is that it should need full admin privileges to do this. That said, local privilege escalation exploits are a dime a dozen on any OS, AFAIK.
     
  19. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    That's a pretty poor ASCII ANSI drawing you're left with.
    Desktop users with a second bios eeprom can probably easily redeem themselves but with a notebook you could really end up with a very expensive paperweight.
    If confirmed to be real (and it really seems so, just that there are relatively so few infections posted), like member zfactor I wonder what bios it affects. Aword bios again?
     
    Last edited: Jun 30, 2013
  20. malexous

    malexous Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    830
    Location:
    Ireland
    This may affect people who are not "stealing". It is more convenient and quicker for me to download the music than finding the CD and ripping it, particularly if I want the music on my netbook, which has no CD/DVD drive.
     
    Last edited: Jun 30, 2013
  21. ctrlaltdelete

    ctrlaltdelete Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    318
    Location:
    NL
    First report i saw was a system with MSI K9AGM2 mainboard, AMI bios.
     
  22. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,102
    Location:
    on my zx10-r
    i deal with and edit bios' all the time to unlock things, add features add cpu codes etc, he is sending me the hard drive and the motherboard, ram etc. i have much more experience in this so i should have everything by tues. the client has simply decided to replace the motherboard / hard drive at this time. this is a asrock motherboard i will know which bios later tonight.
     
  23. ctrlaltdelete

    ctrlaltdelete Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    318
    Location:
    NL
  24. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,102
    Location:
    on my zx10-r
    could be but without a real clear close up its hard to see exactly whats there.
     
  25. shuverisan

    shuverisan Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    185
    This is as fascinating as it is scary, can't wait to hear more about it.

    This was one of my first thoughts too. Rope 'em Stuxnet style!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.