You steal music I lock your pc [Ransomware]

Discussion in 'malware problems & news' started by Maxstar, Jun 30, 2013.

Thread Status:
Not open for further replies.
  1. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    That will be interesting, waiting for your results. :D
     
  2. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    good luck Z :thumb:
     
  3. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    714
    Location:
    UK
    I'm looking forward to reading your findings zfactor. :thumb:
     
  4. Grinler

    Grinler Security Expert

    Joined:
    Jun 20, 2004
    Posts:
    21
    Maxstar found another one of these at BC.

    From the screen it does not look like ransomware as there are no demands or ransom requests.

    Seems almost like someone showing off. I would be surprised if a legitimate organization would create ascii art, but who the hell knows.

    Looking forward to seeing what you discover zfactor.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,786
    Location:
    U.S.A. (South)
    @Grinler

    =6 posts. lol

    Tireless and relentless security warrior that you are over there for years now.

    Does a confidence good seeing that you fellas are right up on this thing asap.

    Keep up the good work.

    Regards Easter
     
  6. Maxstar

    Maxstar Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    6
    Hi,

    I noticed Grinler on his forum "Bleeping Computer" because the fact it can be a HOAX from someone that is trolling the internet.

    The first topics are placed on Dutch / Belgium forums, Helpmij, Fok and PC helpforum.be .

    After these three posts I wrote some articles for malwareinfo and malwareremovalguides to collect more information or samples because this was some interesting issue, but with the lack of feedback from the topic starters it was difficult to get more usefull information.

    The only fact was a filename "lcrm.exe" and there was no more information. Beside the filename some topic starters told they receive a message of "lcrm.exe" that a restart was needed and after that the system was (b)locked as well.

    This is the information we have for now, maybe that zfactor can receive more information. But this looks like a joke from someone.
     
  7. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,103
    Location:
    on my zx10-r
    okay well im not sure what to think now.

    after reading maxstar's last post i called him to see if he found anything else on this. i instructed the tech in ny (who is very new to all this) i know to go ahead and hook up the mobo in another system with a new / different hard drive and new / different ram i told him i would replace the parts if they were in any way damaged by this (via video chat this time so i could watch exactly what was done). so he installed the mobo into a empty case along with a 500gb seagate and 4gb ddr3 ram for testing. turned it on and it booted right up no lock screen etc. no issues nothing the fresh windows install started right up. then we swapped the new drive with the old one and same it booted right up no issues...

    i then had him dump the bios since we could access it fine and he sent it to me and i see nothing out of the ordinary in it.

    as maxstar said maybe this was some kind of joke or ram stored virus or somethingo_O we never got to see the actual image on screen we only asked the client if the picture was the one i posted on the first page and they said yes. the tech though stated the client originally on the phone said they saw what he decribed as a ansi picture then system shut down and not restart the client says he tried many time to restart it he swears it booted to this image (or some kind of image). i had the tech show him the pic i posted on page 1 and the client said that is the exact image he saw (which im questioning now im sure maybe he saw a ansi picture before it shut down but probably not this exact one) and when i had read this first i thought of this because it sounded exactly similar to what could have happened right after he was using bit torrent. when we tried to boot it up we saw just a black screen with no prompts to enter the bios and no normal asrock keys worked. so im kind unsure what to think at this point. i was not physically there to monitor everything so i can not say for sure. i was simply instructing him what to try while on the phone.

    he still may send me the parts but i decided just to have him hook it up there to visually see it when it booted. to which we saw nothing. so *if* this is a real threat (which we again can not find anything related to that file anywhere) all we did was let the mobo sit and once hooked back up all looks normal. the only other thing i can think of is if it was in the ram which when he hooked it back up he did place different 4gb stick on the mobo. we will plug in the old ram to see what happens here in a bit. imo this client is most likely mistaken on the actual image they saw and it was not the one we showed him (i have had this happen many times when asking a non average pc user to verify a image or error message etc). please know i was not directly there for this except being on the phone the first time and video chat today, im wondering if the client did see a ansi screen from something he downloaded because there were a number of keygens etc on his drive. im thinking it was a bios issue or something where it needed power to be disconnected for a bit to reset the bios and this is why it works now (i have seen this many times in the past)

    so for now i cant be of much more help and man i was excited in a way to have a mystery to solve lol :ninja: . i am grateful though that this system does not seem infected by this after all. if i learn anything else i will let you all know.
     
    Last edited: Jul 1, 2013
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Zfactor

    Thanks for the heads up. Sure sounds like a false alarm. But one thing it did for me, was to tighten up a bit. Especially given my situation.

    Main thing I did was tighten up on NVT's ERP. I've put it in Lockdown mode. This way if it isn't in my white list, it's blocked period.

    Pete
     
  9. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,442
    Location:
    Outer space
    I'm curious if a HIPS would throw a pop-up when a process tries to write to BIOS, I haven't seen it before in settings of various HIPS.
     
  10. Grinler

    Grinler Security Expert

    Joined:
    Jun 20, 2004
    Posts:
    21
    Thanks Easter :)

    zfactor, thanks for the info. This is a strange one indeed.

    I searched on virustotal for any submissions under the name lcrm.exe in the hope that they uploaded to check defs on it and nothing is coming up unfortunately.

    I am inclined to agree with Maxstar and think this is somebody trying to be funny.
     
  11. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    714
    Location:
    UK
    Thanks for the info zfactor. I'll wait to see if you find anything in the old ram. But indeed it looks like a hoax. I also tightened my security up which is never a bad thing I suppose.
     
    Last edited: Jul 1, 2013
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,786
    Location:
    U.S.A. (South)
    Even if this turns out to be some dull joke after all, the very alarm of it should serve to prepare us to research this potential and determine if it indeed it really could be carried out to infect a PC firmware BIOS thus rendering an affected PC totally incapacitated.
     
  13. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Thanks for the info, zfactor. Just curious - were the mobo's CMOS settings cleared (deliberately or inadvertently) at any point? Maybe this thing doesn't actually flash BIOS, in which case it might be curable by removing the CMOS battery for 30 seconds (or using the CMOS clear jumper if applicable).
     
  14. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,103
    Location:
    on my zx10-r
    we did not clear them so if they did get cleared it was caused by a low cmos battery or a mobo issue directly. i asked he still send me the parts but just not overnight so i can get a look at them to be sure. the client still swears the image was the same as what they saw.. but i now how that goes sometimes...
     
  15. dr pan k

    dr pan k Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    204
    After Stuxnet i think everyone is a bit afraid of something like this really happening...

    say, how do you make a back up of the bios?? u know, just in case ..... :D
     
  16. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    hmm, i personaly do not think its infecting the bios, as far as i know every vendor could be have different type of bios, so you need for every Bios mode an different malware.
     
  17. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    The bioskit TS(/troll/hoaxer) on dutch forum Fok.nl, reported that the affected hardware (supposedly from his father) was this;
    Mobo: MSI K9AGM2
    CPU: AMD X2 5000
    Memory: 4x 1gb DDR2
    link

    As a member on another dutch forum Tweakers.net pointed out, that board only has 2 dimm slots so the hardware list is bogus.
    Why on earth bother? Or do you keep it in cryo-state?
     
  18. Ilja

    Ilja Registered Member

    Joined:
    Dec 15, 2011
    Posts:
    4
    Location:
    Holland
    Hello, I'm one of the responders on HelpMij.nl about this topic, & also on Security.nl.

    To be honest, i'm still not sure it's real or a hoax. After reading it on HelpMij.nl & some Google inquiry, I even wrote a warning e-mail ready to send to everyone in my whole addressbook (bcc, I learned from my previous mistakes), but still didn't send it.

    The point is that another reputable respondent on HelpMij.nl wrote he repaired a computer with this problem, with luck because it had 2 bios-chips onboard.
    Other point is that there bin at least 4 boot-kit attacks in the past, 2 of them were just POC.

    Therefore, even if it is a hoax, it still teached us somethings:

    You can prevent this kind of attack by blocking biosflash through hardware jumper setting or bios deny flash.
    You can, for now & near future, prevent this kind of attack by setting an Admin password on the setup of Your bios.

    You can repair a corrupted bios if You are in the posession of a motherboard with multiple bios-chips, or have a bios were the eeprom is coupled with a backup-rom in which case You can re-flash the bios by pulling a jumper. See Your User Manual.

    What can we learn from this, even if it turns out a hoax (I still doubt that)?

    Consider this was just a rude testrun from criminals, what would this kind of virea do to all kinds of computers that we rely on? In this case it's triggered under Windows. What will happen if an improved version attacks the computers we use to pay with? Check our stocks (as far we have)..?

    IMNSHO (Worst scenario): Global economical disaster...

    Back to the Stone Age...

    Sorry, just needed to get it out of my system...
     
  19. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,103
    Location:
    on my zx10-r
    i wanted to see if the ram stick was bad and causing a non boot status. which it was not we already tested it and its working fine.
     
  20. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Could definitely be a hoax. Who knows.
     
  21. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Today on Security.nl, their first newsitem. link
    "Unknown Bios-virus is very likely a hoax"
    "When the various forum administrators compared the IP addresses of the 'victims', all proved to be the same, as Ted Emmerich of [dutch] PCWebPlus[.nl] has posted on the forum of Tweakers[.net]." (my translation).
     
  22. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    714
    Location:
    UK
    Thanks for the info :thumb:
     
  23. Maxstar

    Maxstar Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    6
    I am Ted, and today I have post a complete thread with al the different topics, that are started by the same person with the same IP-adres.

    This is the Dutch thread I have posted.
    http://www.pcwebplus.nl/phpbb/viewtopic.php?f=213&t=10242

    This is the Google translate version.
    http://translate.google.nl/translat...cwebplus.nl/phpbb/viewtopic.php?f=213&t=10242
     
  24. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    714
    Location:
    UK
  25. Maxstar

    Maxstar Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    6
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.