Other issues in this category (38)
Bizarre Trojans that don't scare us
Friday, October 12, 2018
Media outlets never tire of serving up all kinds of horrifying malware stories for public consumption:
According to Bleeping Computer, MalwareHunterTeam researchers discovered a dangerous encryption ransomware program named after former US President Barak Obama. The ransomware shuts down the anti-viruses installed on computers.
Once anti-virus programs are rendered non-operational, the ransomware scans the system for executable files and encrypts them all.
This behaviour is indeed bizarre. As a rule, executable files can be recovered easily. Compromising those files can only disrupt the operation of some applications or that of the operating system, nothing more.
The Trojan even modifies the contents of the Windows directory, while other ransomware species usually leave it intact.
The Trojan uses the following commands to shut down anti-viruses:
taskkill /f /im kavsvc.exe
taskkill /f /im KVXP.kxp
taskkill /f /im Rav.exe
taskkill /f /im Ravmon.exe
taskkill /f /im Mcshield.exe
taskkill /f /im VsTskMgr.exe
What does taskkill do? This command is used to end processes via the Windows command prompt. The /F parameter is used to forcefully terminate processes—those that freeze and do not respond. The /IM option enables one to shut down a large number of similar processes. If a process on a remote computer needs to be terminated, the /S parameter is used.
And if you need to end all the processes that have been started under a certain user account, use the /F1 parameter.
This is a Swiss Army knife for those who want to end processes they don't need. But this tool is only good for processes that aren't within the realm of Dr.Web self-protection's responsibility.
Let's put it to a test. Now we are going to start the command prompt (of course, with administrator privileges!) and try to "kill" any of our anti-virus's processes.
That's self-protection, ladies and gentlemen!
All in all, this approach can't be applied to something that’s being protected.
But here is one really curious feature:
The encryption ransomware modifies registry keys related to .exe files so that they get a new icon and launch the malware whenever a user runs any executable file in the system.
It's not actually a virus because no files get infected. However, clicking on files before the system is completely cured can be a bad idea.#Trojan.Encoder #Trojan #security
The Anti-virus Times recommends
We detect this bizarre creation as Trojan.Encoder.26282. Although it’s not the scariest Trojan out there, it nonetheless is quite capable of ruining your mood and hassling you. Therefore:
- Don't forget that ALL anti-virus protection components must remain active.
- Do not click on files indiscriminately.