Malware descriptions

Not Kaspersky

We’ve had a number of people contacting us with queries about ‘Kaspersky Lab Antivirus Online’ after their computer showed them this message:

The short answer is: it’s certainly nothing to do with us! It’s actually the payload of a primitive piece of ransomware, Trojan-Ransom.Win32.SMSer. The Trojan installs itself to the Windows directory, and shows this message when the computer is rebooted.The message is a typical ransom demand (the original Russian contains some grammar and spelling mistakes which should act as an immediate red flag) and reads as follows:

Kaspersky Lab Antivirus Online

Attention! The Kaspersky Lab Online check shows that a malicious virus, which gradually infects all files on your computer, has been found on your system. The virus has been temporarily blocked, but its encryption algorithm changes constantly and stopping it at the moment without having this program is not possible. In order to delete the malicious virus it’s necessary to find out which encryption algorithm the virus has at the moment, in order to do this send an SMS to the short number 6008 with the text ‘#win1tt5669’ (without inverted commas). The cost of the SMS is 6 roubles. Once you have sent the sms, you will immediately be sent a key which disables the virus. Enter this key and the program will completely delete the virus from your computer.

The encryption algorithm will change in 161 seconds.
(Once this time has elapsed you are strongly recommended to delete it)

Enter the key you have received in this field:

[Button] Delete

*The program blocks all possible methods for entering Windows, and if the malicious virus is not deleted ALL files on your computer will be infected very quickly. Attention: Re-installing Windows will not change the situation as the virus writes itself to the boot sector of the hard disk.

All this is heavily reminiscent of the scare tactics behind rogue AV solutions, with the added tactic used by Russian and other virus writers of leasing short numbers to make a little illegal money. While the guys behind this Trojan are trying to seem legit by using our name, they seem to have forgotten that no reputable security company would ever stoop to using such methods.

Not everything in the message is true – for instance, sending an SMS won’t cost you 6 roubles, but 150 roubles and upwards (around $5), depending on your network. However, the Trojan does block access to Task Manager and other system tools. If you’ve got Kaspersky Anti-Virus installed, and your databases are up-to-date, you’ve got no problem – we detect all modifications of this Trojan. If you don’t use a Kaspersky Lab product, you can get our free removal utility here to fix your system.

Not Kaspersky

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Subscribe to our weekly e-mails

The hottest research right in your inbox