Discussion in 'malware problems & news' started by Maxstar, Jun 30, 2013.
That will be interesting, waiting for your results.
good luck Z
I'm looking forward to reading your findings zfactor.
Maxstar found another one of these at BC.
From the screen it does not look like ransomware as there are no demands or ransom requests.
Seems almost like someone showing off. I would be surprised if a legitimate organization would create ascii art, but who the hell knows.
Looking forward to seeing what you discover zfactor.
=6 posts. lol
Tireless and relentless security warrior that you are over there for years now.
Does a confidence good seeing that you fellas are right up on this thing asap.
Keep up the good work.
I noticed Grinler on his forum "Bleeping Computer" because the fact it can be a HOAX from someone that is trolling the internet.
The first topics are placed on Dutch / Belgium forums, Helpmij, Fok and PC helpforum.be .
After these three posts I wrote some articles for malwareinfo and malwareremovalguides to collect more information or samples because this was some interesting issue, but with the lack of feedback from the topic starters it was difficult to get more usefull information.
The only fact was a filename "lcrm.exe" and there was no more information. Beside the filename some topic starters told they receive a message of "lcrm.exe" that a restart was needed and after that the system was (b)locked as well.
This is the information we have for now, maybe that zfactor can receive more information. But this looks like a joke from someone.
okay well im not sure what to think now.
after reading maxstar's last post i called him to see if he found anything else on this. i instructed the tech in ny (who is very new to all this) i know to go ahead and hook up the mobo in another system with a new / different hard drive and new / different ram i told him i would replace the parts if they were in any way damaged by this (via video chat this time so i could watch exactly what was done). so he installed the mobo into a empty case along with a 500gb seagate and 4gb ddr3 ram for testing. turned it on and it booted right up no lock screen etc. no issues nothing the fresh windows install started right up. then we swapped the new drive with the old one and same it booted right up no issues...
i then had him dump the bios since we could access it fine and he sent it to me and i see nothing out of the ordinary in it.
as maxstar said maybe this was some kind of joke or ram stored virus or something we never got to see the actual image on screen we only asked the client if the picture was the one i posted on the first page and they said yes. the tech though stated the client originally on the phone said they saw what he decribed as a ansi picture then system shut down and not restart the client says he tried many time to restart it he swears it booted to this image (or some kind of image). i had the tech show him the pic i posted on page 1 and the client said that is the exact image he saw (which im questioning now im sure maybe he saw a ansi picture before it shut down but probably not this exact one) and when i had read this first i thought of this because it sounded exactly similar to what could have happened right after he was using bit torrent. when we tried to boot it up we saw just a black screen with no prompts to enter the bios and no normal asrock keys worked. so im kind unsure what to think at this point. i was not physically there to monitor everything so i can not say for sure. i was simply instructing him what to try while on the phone.
he still may send me the parts but i decided just to have him hook it up there to visually see it when it booted. to which we saw nothing. so *if* this is a real threat (which we again can not find anything related to that file anywhere) all we did was let the mobo sit and once hooked back up all looks normal. the only other thing i can think of is if it was in the ram which when he hooked it back up he did place different 4gb stick on the mobo. we will plug in the old ram to see what happens here in a bit. imo this client is most likely mistaken on the actual image they saw and it was not the one we showed him (i have had this happen many times when asking a non average pc user to verify a image or error message etc). please know i was not directly there for this except being on the phone the first time and video chat today, im wondering if the client did see a ansi screen from something he downloaded because there were a number of keygens etc on his drive. im thinking it was a bios issue or something where it needed power to be disconnected for a bit to reset the bios and this is why it works now (i have seen this many times in the past)
so for now i cant be of much more help and man i was excited in a way to have a mystery to solve lol . i am grateful though that this system does not seem infected by this after all. if i learn anything else i will let you all know.
Thanks for the heads up. Sure sounds like a false alarm. But one thing it did for me, was to tighten up a bit. Especially given my situation.
Main thing I did was tighten up on NVT's ERP. I've put it in Lockdown mode. This way if it isn't in my white list, it's blocked period.
I'm curious if a HIPS would throw a pop-up when a process tries to write to BIOS, I haven't seen it before in settings of various HIPS.
zfactor, thanks for the info. This is a strange one indeed.
I searched on virustotal for any submissions under the name lcrm.exe in the hope that they uploaded to check defs on it and nothing is coming up unfortunately.
I am inclined to agree with Maxstar and think this is somebody trying to be funny.
Thanks for the info zfactor. I'll wait to see if you find anything in the old ram. But indeed it looks like a hoax. I also tightened my security up which is never a bad thing I suppose.
Even if this turns out to be some dull joke after all, the very alarm of it should serve to prepare us to research this potential and determine if it indeed it really could be carried out to infect a PC firmware BIOS thus rendering an affected PC totally incapacitated.
Thanks for the info, zfactor. Just curious - were the mobo's CMOS settings cleared (deliberately or inadvertently) at any point? Maybe this thing doesn't actually flash BIOS, in which case it might be curable by removing the CMOS battery for 30 seconds (or using the CMOS clear jumper if applicable).
we did not clear them so if they did get cleared it was caused by a low cmos battery or a mobo issue directly. i asked he still send me the parts but just not overnight so i can get a look at them to be sure. the client still swears the image was the same as what they saw.. but i now how that goes sometimes...
After Stuxnet i think everyone is a bit afraid of something like this really happening...
say, how do you make a back up of the bios?? u know, just in case .....
hmm, i personaly do not think its infecting the bios, as far as i know every vendor could be have different type of bios, so you need for every Bios mode an different malware.
The bioskit TS(/troll/hoaxer) on dutch forum Fok.nl, reported that the affected hardware (supposedly from his father) was this;
Mobo: MSI K9AGM2
CPU: AMD X2 5000
Memory: 4x 1gb DDR2 link
As a member on another dutch forum Tweakers.net pointed out, that board only has 2 dimm slots so the hardware list is bogus.
Why on earth bother? Or do you keep it in cryo-state?
Hello, I'm one of the responders on HelpMij.nl about this topic, & also on Security.nl.
To be honest, i'm still not sure it's real or a hoax. After reading it on HelpMij.nl & some Google inquiry, I even wrote a warning e-mail ready to send to everyone in my whole addressbook (bcc, I learned from my previous mistakes), but still didn't send it.
The point is that another reputable respondent on HelpMij.nl wrote he repaired a computer with this problem, with luck because it had 2 bios-chips onboard.
Other point is that there bin at least 4 boot-kit attacks in the past, 2 of them were just POC.
Therefore, even if it is a hoax, it still teached us somethings:
You can prevent this kind of attack by blocking biosflash through hardware jumper setting or bios deny flash.
You can, for now & near future, prevent this kind of attack by setting an Admin password on the setup of Your bios.
You can repair a corrupted bios if You are in the posession of a motherboard with multiple bios-chips, or have a bios were the eeprom is coupled with a backup-rom in which case You can re-flash the bios by pulling a jumper. See Your User Manual.
What can we learn from this, even if it turns out a hoax (I still doubt that)?
Consider this was just a rude testrun from criminals, what would this kind of virea do to all kinds of computers that we rely on? In this case it's triggered under Windows. What will happen if an improved version attacks the computers we use to pay with? Check our stocks (as far we have)..?
IMNSHO (Worst scenario): Global economical disaster...
Back to the Stone Age...
Sorry, just needed to get it out of my system...
i wanted to see if the ram stick was bad and causing a non boot status. which it was not we already tested it and its working fine.
Could definitely be a hoax. Who knows.
Today on Security.nl, their first newsitem. link
"Unknown Bios-virus is very likely a hoax"
"When the various forum administrators compared the IP addresses of the 'victims', all proved to be the same, as Ted Emmerich of [dutch] PCWebPlus[.nl] has posted on the forum of Tweakers[.net]." (my translation).
Thanks for the info
I am Ted, and today I have post a complete thread with al the different topics, that are started by the same person with the same IP-adres.
This is the Dutch thread I have posted.
This is the Google translate version.
Thanks for keeping us posted Maxstar
YooSecurity has publisched a Fake video on YouTube.
Separate names with a comma.