New global ransomware attack hits East Europe and spreading

AndreTen · 28 Jun 2017

lx07 said:

Ah interesting, I missed that bit. These only work if you are running Admin account (or with Admin rights) though correct?

Correct.

dencal · 28 Jun 2017

This was not ransomware....more than likely industrial espionage....why would the perpetrator leave an easily traceable calling address?
This has already been shut down.....so financial gain was not the motive.

Steve C · 28 Jun 2017

AndreTen said:

Thanks for warning Steve. One can usually trust the guys at Bleeping Computers. Will check it out. Kaspersky could react to changes in Windows dir...

Edit: can't imagine what would trigger Kaspersky, except that it just reacts to creating files in C:\Windows..

There are just 3 files, filled with some text (don't delete this.. is a vaccine ...) named perfc, perfc.dll and perfc.somtething else

Does anyone know why that batch file inserts 3 perfc files whereas the manual fix just creates the file perfc (read only)? I've used a manual fix since Kaspersky Antivirus deletes perfc.dat created by the batch file.

I just ran Notepad as Admin, saved the empty file as c:\windows\perfc, then made two further copies of perfc and renamed them perfc.dll and perfc.dat. Finally I set them to be read only. Kaspersky antivirus doesn't object when you do it this way.

AndreTen · 28 Jun 2017

Steve C said:

Does anyone know why that batch file inserts 3 perfc files whereas the manual fix just creates the file perfc (read only)? I've used the manual fix since Kaspersky Antivirus deletes perfc.dat created by the batch file.

I have no idea... It was mentioned somewhere, that this vaccine isn't futureproof. Malware makers could easily change its behavior. Perhaps it's something in that direction...

Once more: all major AV and antimalware suites are updated and are blocking it (including Windows defender)

f14tomcat · 28 Jun 2017

dencal said:

This was not ransomware....more than likely industrial espionage....why would the perpetrator leave an easily traceable calling address?
This has already been shut down.....so financial gain was not the motive.

Muscle flexing and diversion.....what's the real target?

lx07 · 28 Jun 2017

Steve C said:

Does anyone know why that batch file inserts 3 perfc files whereas the manual fix just creates the file perfc (read only)? I've used the manual fix since Kaspersky Antivirus deletes perfc.dat created by the batch file.

If you look at the link in the batchfile twitter.com/0xAmit/status/879778335286452224 various people are arguing about whether perfc (no extension), perfc.dat or perfc.dll are required. I guess the writer of the file stuck them all in to be on the safe side.

dencal · 28 Jun 2017

f14tomcat said:

Muscle flexing and diversion.....what's the real target?

Either some curious kid in a back room seeing how clever he is.....or more worryingly a nation seeking superiority by paralysing vital industries, bringing countries to a standstill......most modern warfare is conducted using computerised technology, ie- aeroplanes, ships, missiles, orbiting space satellites etc.....all could be rendered completely ineffective......frightening isn't it.

Steve C · 28 Jun 2017

lx07 said:

If you look at the link in the batchfile twitter.com/0xAmit/status/879778335286452224 various people are arguing about whether perfc (no extension), perfc.dat or perfc.dll are required. I guess the writer of the file stuck them all in to be on the safe side.

Thanks - I just created the 3 files manually as Post 23.

Smiley1 · 28 Jun 2017

Forgive me if this is a silly question, but how does the malware get into one's computer? Infected executable attachment, drive-by download, download via malicious link in an email..?

dencal · 28 Jun 2017

Smiley1 said:

Forgive me if this is a silly question, but how does the malware get into one's computer? Infected executable attachment, drive-by download, download via malicious link in an email..?

In this particular case it appears to have infiltrated a software update.