Thursday, March 29, 2012

GEMA - Germany (Ransom Trojan) - 03.29.2012 - Analysis and Removal


 
 Once you are infected with GEMA, you will be prompted a white screen with text that reads:
"Please wait while the connection is beeing established."
and then the German translation...
__________________________________________________________________________________
Do not bother trying Safe Mode(s), they will not work. You need to boot using a CD or slave the hard drive to a working computer to remove one file and a few bad registry values.

FRST
I used Farbar's Recovery Scan Tool (FRST) for this.
 Here are the items that need fixing:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\K3aRyluP6SiCkoR Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\K3aRyluP6SiCkoR Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableRegistryTools Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit Value was restored.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored.
C:\Documents and Settings\owner\Application Data\flint4ytw.exe moved successfully.
__________________________________________________________________________________
The tool does not fix everything that needs to be corrected, but from here you can at least open Explorer again and the Please wait while the connection is beeing established screen is gone.

Even though you are still somewhat limited due to no desktop icons, you will be able to launch Windows Explorer so you can launch Malwarebytes' Anti-Malware.
__________________________________________________________________________________
MBAM




Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
__________________________________________________________________________________
Even after MBAM repaired this item and I rebooted, I was still missing my desktop icons.


I simply right-mouse clicked anywhere on the desktop and selected "Show Desktop Icons".
After that, everything was back to normal :-)
__________________________________________________________________________________
Misc notes:
You will be unable to right-mouse click the desktop and receive the pop-up menu until the above policy (NoDesktop) is fixed.

Update: April 28th, 2012 || file name is changed to ram_reserver64.exe (VirusTotal) Same location as listed above.

Update: May 5th, 2012 || file name is changed to itunes_service01.exe (VirusTotal) Same location as listed above.

Update: May 5th, 2012 || file name is changed to itunes_service86.exe (MajorGeeks) Same location as listed above.

Update: May 15th, 2012 || file name is changed to BSI.bund.exe (VirusTotal . MajorGeeks) Same location as listed above.
__________________________________________________________________________________

No comments:

Post a Comment