Tuesday, July 24, 2012

Gimemo: Another FBI Ransomware

This one looks almost exactly like Reveton, which I have posted about before, the behavior is a bit different though. Gimemo is capable of starting in safe mode so it makes removal just a bit trickier. The best way to remove this is always to do a system restore. If you do not have restore points, you can follow the instructions for manual removal below.

To perform the system restore method, reboot the PC and repeatedly tap the "f8" key at the top of the keyboard to get to the "Advanced Boot Options" menu. Select "Safe Mode with Command Prompt". Once it loads and gives you the command prompt, type "rstrui.exe" and follow the on-screen instructions for system restore.

If you have no restore points or are like me and want to do things the hard way :), you can also remove it manually. To do this, get into safe mode with command prompt using the instructions above. Once there we need to delete the exe files. Type the command "explorer.exe" which will bring up a folder to allow you to navigate through the file system.

Find "%appdata%\<random.exe> and delete it

Run the following command:

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v "DisableTaskMgr" /t REG_DWORD /d 0

Now you can reboot into normal mode and at least be able to do something. Once booted into normal mode, you may notice that you do not see your start menu, that gets fixed next, but the point is that now we can get some work done inside the PC. So open taskmgr using the key combination [Ctrl + Shift + Esc].

Go to File > New Task(Run) and type "iexplore.exe". You now have IE open, you want to download autoruns. Open autoruns once you have it downloaded. Delete all the values that have been marked in yellow:

Once you do all that, you can reboot the PC and explorer will launch correctly. You will notice that you are still missing all of the icons, and all of the files on the "C:\" drive are still hidden. Here is what to do about that:

Download Dial-A-Fix. If you are in Vista/7 you can use it still by running in compatibility mode for XP sp3. Launch DAF and go to the policies section. Remove all of the policies that have been found and restart the PC again.

That will enable your registry tools. Now open regedit, make sure you are at the top part ("computer") and go to edit > find. Type "nodesktop" into the search box.

Delete what you find:

Open taskmgr again and close explorer.exe:

Still in taskmgr, go to file > new task (run) > Type "explorer.exe" which will bring up your start menu again. Making sure that the start menu is up, right-click on the desktop > Arrange Icons By > Show Desktop Icons. You should now see your desktop icons. At this point, a malware scanner should be run to ensure that there are no other infections on the PC. My favorite, as always, is MalwareBytes' Anti-Malware. A quick scan should be good enough in this case. That's it! Ransomware removed!

Thursday, July 5, 2012

Repairing the MBR in Vista/7

I have found that more and more often, I have to perform a repair on the MBR when removing some of the new bootkits from x64 platforms. It is a pretty straight-forward process, which Microsoft has documented well. I feel that putting it all in one place will help people out, so here it is:

The first step towards repairing the MBR is to get into the "Advanced Boot Options" screen by repeatedly pressing the "f8" key on the keyboard just after powering the system on. That will take you here:

Select "Repair Your Computer", wait for everything to load, select your keyboard layout and login. Once you login, you will see this screen:

You want to select "Command Prompt". Now that you have command prompt open, you can start fixing the MBR. Please follow the commands below in order:

bootrec /fixboot
bootrec /fixmbr
bootrec /rebuildbcd

If all worked correctly, your screen will look like this:

If you run into an error with "bootrec /fixboot" or "bootrec /rebuildbcd" that states "element not found", it means that the OS partition is not set as active and you need to do that before running the fixes. For this example, I will be using diskpart to fix this error and set the correct partition to the active state. Here is a list of the commands and a short breakdown of what they do:

diskpart - launches the diskpart utility
list disk - lists the hard disks that are available, you need the OS disk (usually the c:\ drive)
select disk x - once you find the disk you want to select, replace x with the correct disk number
list partition - lists the partitions that are available, you need the OS partition (usually the biggest one)
select partition x - once you find the OS partition, replace x with the correct partition number
active - sets the currently selected partition to active
exit - exit diskpart back to recovery console

Once you have the correct partition set as active, you can retry the bootrec commands and they should succeed this time. That is all there is to it!

Tuesday, July 3, 2012

FBI Ransomware

This infection is called Reveton and is classified as Ransomware. It locks the screen in normal mode and tells you that if you pay some money ($100 US) in the form of a MoneyPak to unlock the PC. This can be defeated very easily. First, you need to boot into safe mode so that the rogue does not launch. Next, locate the startup folder in your start menu and look for a shortcut marked "ctfmon". This file has the same icon as the real ctfmon, but launches a shortcut that looks like this:

%systemroot%\system32\rundll32.exe C:\users\<UserName>\AppData\Local\Temp\er_00_0_1.exe

Just delete the shortcut and the exe located in the temp folder and that part has been taken care of. Several of these infections have had a rootkit installed on the system as well. The one that I have seen the most with it is SST. SST has recently been updated and TDSSKiller no longer finds it when scanning with normal parameters. You should always run TDSSKiller with the "Detect TDLFS" option checked when working on a PC that has Reveton.

Make sure that you have the option pictured above checked before running the scan. You will see a result that looks like this:

Select the "delete" option once you have found this and reboot. Run the scan again to ensure that the rootkit has been removed entirely. If it has not, repeat the above steps until it is gone.