We have detected a new case of RansomWare.
Once the malware infects users and encrypts their files, several “read_me.txt†files are created in the infected system, which warn users that their data files have been encrypted and that they won’t be able to access them unless they pay a ransom of $300.
The email addresses indicated in the message may vary:
The “personal code†may also vary depending on the random value that is used to encrypt the data.
The encrypted files usually begin with the text “GLAMOURâ€:
We have managed to access the data of the infected systems and there are 1,108 infected computers.
Besides, in 111 of those machines the port 6838 is open so that the machines act as socket servers.
The “construction kit†of Trj/Sinowal has been used to create this Trojan.
We have already mentioned this malware family in the eCrime 2007
http://research.pandasoftware.com/blogs/research/archive/2007/03/29/eCrime-2007-Congress.aspx
According to SecureWorks, this “construction kit†is sold for around $1,000.
http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?RSS&NewsId=3740
This variant has been detected as Trj/Sinowal.FY in the signature file.
Posted under Malware Alerts
This post was written by Ted on July 16, 2007
