2018-06-28 - FAKE AV SCREEN LOCKER (A RELATIVELY EASY FIX)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-06-28-fake-AV-screen-locker.pcap.zip   83.8 kB (83,775 bytes)
• 2018-06-28-fake-AV-screen-locker-malware-and-artifacts.zip   66.1 kB (66,127 bytes)

 

NOTES:

• Thanks to @nao_sec for tweeting about this activity here.

 

Shown above:  Traffic filtered in Wireshark.

 

Shown above:  This is the warning Window that initially popped up.

 

Shown above:  I clicked "Run" for IEUpdate.hta, which installed a screen locker.

 

Shown above:  Screenshot that of the screen locker that appeared shortly after clicking "Run" for that .hta file.

 

Shown above:  I got past the locked screen by pressing "Control-Alt-Delete" and starting the Task Manager.

 

Shown above:  In the Task Manager, I ended task for an application named "Warning."

 

Shown above:  In the Windows start menu, I worked my way to the Startup folder.

 

Shown above:  In this case, the file in the startup folder was named flux.exe.

 

 

Shown above:  I also found an executable file in C:\ProgramData\ and deleted it.  In this case, the file was named Iyby3vtF.exe.

 

 

Click here to return to the main page.