Virus request $20 to receive your data back

Websense® Security LabsT has received reports of a new attack that attempts to extort money from users by encoding files on their machines, and then requesting payment for a decoder tool. The attack dynamics are very similar to the original discovery we reported on May 23, 2005 : http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=194.

This attack appears to only be attacking Russian speakers and was first reported on Kaspersky's research blog:http://www.viruslist.com/en/weblog.

Several vendors are calling the two pieces of malcode (JuNy.A and JuNy.B).
Upon infection, the application searches on the machine or any mapped drives for more than 100 file types by extension.

The malicious code modifies the following registry items:

Added to HKEY_LOCAL_MACHINE:
SOFTWARE\Classes\EventSystem

.EventSystem\PrivateData
SOFTWARE\Classes\EventSystem.EventSystem\PrivateData\FXXXXBytes

Important values added:
HKEY_LOCAL_MACHINE:
SOFTWARE\Classes\EventSystem.EventSystem\PrivateData\FXXXXBytes\XXXXBytes
SOFTWARE\Classes\EventSystem.EventSystem\PrivateData\FXXXXBytes\XXXXCount
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kernel Manager

Modified values:
HKEY_LOCAL_MACHINE:
SOFTWARE\Classes\exefile\shell\open\command
Like the encoder previously reported, the attacker requests that end-users send money in order to receive their data back. Also, like the former attack, the requested amount is $20.

The code also displays two messages on the screen with instructions for contacting an email account in order to get the files back, and includes a list of files that it encoded.

Screenshots are shown below (note: these were taken using a US/English version of Windows). Assuming that you are using the Russian version, the messages would appear in the native language.

Screenshots with translations included within full alert.


For additional details and information on how to detect and prevent this type of attack:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=320