Viro Botnet Malware Takes Many Different Forms

Share and earn Cybytes
Facebook Twitter LinkedIn Email

The latest, strangest new ransomware appears to come from France, or at least from French speaking cyber attackers.

If your Windows PC has been successfully infected by the brand new Viro botnet ransomware, you will see this ransom note no matter where in le monde you are. Tout le monde is a possible target:

Viro Botnet Malware

Vos fichiers personnels ont été chiffré.

Pour les déchiffrer, evonyez 500€ de bitcoins à cette adresse: xxxxx

Toute tentative de destruction de ce logiciel entraïnera la destruction da la clé de déchiffrement.

Toute tentative de déchiffrement avec une clé erronée entraïnera la perte définitive de vos fichiers.

Vous avez 72 heures pour effectuer le paiement. Après quoi, la clé de déchiffrement sera supprimée.

I understand French seulement un peu, so I’ll attempt an imperfect translation. I learned that les fichiers are files, and chiffré is encryption, so let’s give it a go:

Your personal files have become encrypted.

To decrypt them, send €500 worth of Bitcoin to this address: xxxxx

All attempts to destroy the software will lead to the destruction of the decryption key.

All attempts at decryption with the wrong key will lead to the loss of your files.

You have 72 hours to make your payment. After that, the decryption key will be deleted.

Contrary to popular belief, most Canadians aren’t English-French bilingual, and although my French is a little better than most Anglo Canadians, it’s still a bit weak. Oh well – c’est la vie.

Instances of ransomware are becoming a little bit less frequent in 2018 than in 2017. But many new ransomware strains are getting really, really weird. Viro botnet malware is an excellent example.

The Viro botnet attacks seen so far infect a user’s Windows machine through a malicious email attachment. If the user executes the attachment, a random encryption and decryption key is generated, which is also sent to the Viro command and control (C&C) servers.

The Viro malware then looks for two Windows registry keys, “ProductId” at “SOFTWARE\Microsoft\Windows NT\CurrentVersion” and “MachineGuid” at “SOFTWARE\Microsoft\Cryptography.” If both are found, the malware will then use an RSA cipher to encrypt all files with the following extensions

  • ASP
  • ASPX
  • CSV
  • DOC
  • DOCX
  • HTML
  • JPG
  • MDB
  • ODT
  • PDF
  • PHP
  • PNG
  • PPT
  • PPTX
  • PSD
    • SLN
    • SQL
    • SWP
    • TXT
    • XLS
    • XLSX
    • XML

The list covers most important documents and media file types, but nothing that would prevent the user from using Windows in a basic way. However, losing your documents is surely enough to compel most people to pay the ransome to the cyber attacker, but not enough to completely cripple them. There may be a method to the cyber attacker’s madness.

The ransom note will appear on the user’s screen when the encryption process commences. Then, the machine also becomes a part of the Viro botnet, sending emails with malicious attachments to other possible targets.

In the malware’s code, researchers have also found a keylogger which sends the logged keystrokes back to the C&C servers. They also found that infected targets may download more malware from the C&C servers and execute it through Windows PowerShell.

It appears that the cyber attackers have much greater ambition for Viro than just a botnet that transmits a unique strain of ransomware. The malware probably is still in development, and the PowerShell exploits could be used to completely control victims’ computers.

There’s no news yet as to whether or not paying the ransom will actually decrypt your files. Either way, never ever open an email attachment from an unfamiliar sender! Or check out Comodo Advanced Endpoint Protection, that will render even Viro harmless!

The post Viro Botnet Malware Takes Many Different Forms appeared first on Comodo News and Internet Security Information.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Comodo
Comodo Cybersecurity is a global innovator of cybersecurity solutions, and a division of Comodo Security Solutions Inc. For over 20 years, Comodo Cybersecurity has been at the forefront of successfully protecting the most sensitive data; and today, we deliver an innovative cybersecurity platform that renders threats useless across the LAN, Web & Cloud. Comodo Cybersecurity’s ongoing mission is to protect what matters most, while enabling businesses and customers to confidently accept risk in a world where preventing all attacks is impossible.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?