Important New CryptoLocker Ransomware Variant Spread Through Yahoo Messenger

A new variant of the CryptoLocker malware has been discovered that uses Yahoo Messenger as its delivery mechanism and is targeting Windows systems.
My friends at NSHC in Singapore and Seoul have been battling with the malware that has hit a number of financial institutions throughout Asia Pacific. The variant infects systems and distributes itself out through contacts in Yahoo Messenger, with the payload disguised as an image.

The malicious file named “YOURS.JPG.exe” requires users to download and execute the code utilizing social engineering tactics. Once this is initiated a series of steps take place and modules are dropped and downloaded to the system and files are encrypted on the system.



Once ”YOURS.JPG.exe” is executed an injector file “Omari[Rnd].exe” is put into a random directory and the original “YOURS.JPG.exe” file is then deleted via a .bat file that is also dropped and executed.

The injector file then searches through a list of processes using the Windows ‘ToolHelp’ library to find the PID of ‘explorer.exe’. The malware then gains control of explorer.exe and copies code into memory using ‘CreateRemoteThread’.

If certain conditions are met it will download an additional module that will initiate the encryption process on on the system. The new encryption module reads in files encrypts them and overwrites the original file.


Full description here:

http://www.tripwire.com/state-of-se...-cryptolocker-variant-spread-yahoo-messenger/